Linux Kernel Tap Driver NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's tap driver. The issue arises in the 'dev_parse_header_protocol' function when the 'skb->dev' field is NULL. This situation occurs because 'tap_get_user' calls 'virtio_net_hdr_to_skb' before 'skb->dev' is properly set. The 'virtio_net_hdr_to_skb' function relies on a valid 'skb->dev' to function correctly, leading to a NULL pointer dereference when this requirement is not met.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, which can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by using the tap driver in a scenario where 'tap_get_user' is called before 'skb->dev' is assigned. This sequence triggers the NULL pointer dereference when 'dev_parse_header_protocol' is executed, as it requires a valid 'skb->dev' to parse network protocols correctly.

Remediation

The vulnerability has been addressed by modifying the tap driver to set 'skb->dev' before calling 'virtio_net_hdr_to_skb', ensuring that the 'dev' field is valid when needed.