Linux Kernel NULL Pointer Dereference Vulnerability in UDP GSO Segmentation

A vulnerability in the Linux kernel's handling of UDP Generic Segmentation Offload (GSO) has been identified, leading to a NULL pointer dereference. This issue arises from an assumption that the fragment list (frag_list) remains intact while traversing the network stack. In certain situations, frag_list can be inadvertently pulled into the linear area, resulting in frag_list being NULL. When this occurs, it triggers a NULL pointer dereference, causing a kernel panic. The vulnerability has been addressed by reversing the test condition that allowed frag_list to be disrupted.

Impact

Exploitation of this vulnerability leads to a kernel panic caused by a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by enabling UDP listified Generic Receive Offload (GRO) in the Linux kernel. When UDP packets are processed, the frag_list can sometimes be pulled into the linear area, leaving it NULL. This NULL frag_list can then cause a NULL pointer dereference in the skb_segment_list function, as observed in the kernel's call trace during the panic.