Linux Kernel NULL Pointer Dereference Vulnerability in HSR Module

A NULL pointer dereference vulnerability has been identified in the Linux kernel's High-Availability Seamless Redundancy (HSR) module). This issue arises in the function 'hsr_get_untagged_frame()', where a call to 'skb_clone()' can lead to a crash if 'create_stripped_skb_hsr()' returns NULL. The vulnerability was reported by syzbot, which encountered a general protection fault due to a null pointer dereference. This issue affects Linux kernel versions prior to 6.0.1.

Impact

Exploitation of this vulnerability leads to a general protection fault, causing a crash due to a null pointer dereference.

Reproduction

The vulnerability can be reproduced by sending a frame to the HSR module that triggers the 'hsr_get_untagged_frame()' function. If the 'create_stripped_skb_hsr()' function returns NULL, the 'skb_clone()' function will attempt to clone a NULL pointer, resulting in a crash. This scenario can be simulated using the syzkaller fuzzer, which reported the issue.

Remediation

Users can upgrade to Linux kernel version 6.0.1 or later, where this vulnerability has been fixed.