Linux Kernel Device MTU Sanitation Vulnerability in IPv6 Tunnels

A vulnerability exists in the Linux kernel's handling of device Maximum Transmission Unit (MTU) values within IPv6 tunnels, specifically in GRE over IPv6. The issue arises because the IPv6 multicast code applies a sanity check on the MTU after reading it from the device. However, certain functions can set the MTU to an invalid value, potentially leading to an underflow condition. This vulnerability can cause a kernel panic, as reported by syzbot, indicating a serious internal error.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a crash of the affected system.

Reproduction

The vulnerability can be reproduced by creating an IP6 GRE tunnel and allowing the IPv6 multicast code to read the device's MTU. If the MTU is set to an invalid value, the issue will manifest as a kernel panic, which can be observed in the system logs.

Remediation

Users can upgrade to the patched versions of the Linux kernel available in the Linux Kernel Archive.