Linux Kernel Null Pointer Dereference Vulnerability in xfrm Policy Handling

A null pointer dereference vulnerability has been identified in the Linux kernel's xfrm policy handling. This issue arises when an skb (socket buffer) with an attached metadata_dst is transmitted through the xfrm interface, leading to a dereference of a null device pointer. The vulnerability occurs because the xfrm_lookup_with_ifid function unconditionally dereferences the dst->dev pointer, which can be null. The absence of a valid device can be misinterpreted as the skb being associated with a loopback device, creating a scenario where the kernel crashes due to a null pointer dereference. This vulnerability has been observed in Linux kernel versions 5.19.0 and later.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a null pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

To reproduce this vulnerability, transmit a socket buffer with metadata_dst attached through the xfrm interface. The xfrm_lookup_with_ifid function will dereference the null device pointer, causing a kernel null pointer dereference error. This can be observed by monitoring the kernel's error messages, which will indicate a null pointer dereference oops, including a call trace showing the xfrm_lookup_with_ifid function as the point of failure.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.