Linux Kernel BPF Tunneling Device Redirect Vulnerability

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) programs can lead to an invalid state when packets are redirected to tunneling devices. This issue arises because the packet length can inadvertently be zero, triggering an assertion failure. The vulnerability was introduced in version 5.15 and exists in the stable branch through 5.19.12, 6.0.0 through 6.0.5, and 6.1.0 through 6.1.6.

Impact

Exploitation of this vulnerability can cause a kernel panic due to a null pointer dereference, leading to a denial of service.

Reproduction

The vulnerability can be reproduced using the Syzkaller fuzzer, which generates a packet with the correct Ethernet header length. However, when this packet is redirected to a tunneling device, the BPF program pulls the layer 2 header, resulting in a packet length of zero. This sequence of actions can be automated with a BPF program that is executed through the BPF syscall interface.

Remediation

Users can upgrade to Linux kernel versions 5.19.13, 6.0.6, or 6.1.7, where this vulnerability has been patched.