Linux Kernel ip6mr Cache Report Vulnerability Leading to skb Under Panic

A vulnerability in the Linux kernel's IP6 multicast routing (ip6mr) handling can cause a 'skb_under_panic' situation, which is a kernel bug related to improper management of network packets. This issue arises in the 'ip6mr_cache_report' function when a VLAN device is set up on 'pim6reg'. During the Duplicate Address Detection (DAD) process, a Neighbor Solicitation packet is transmitted, which triggers the vulnerability. The problem occurs because the 'skb_push' function is used incorrectly, pushing an invalid memory address that causes a kernel panic. This vulnerability affects Linux kernel versions through 6.5.0-rc3.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by crashing the system's kernel space.

Reproduction

To reproduce this vulnerability, set up a VLAN device on 'pim6reg' in a Linux environment running a vulnerable kernel version. During the DAD process, a Neighbor Solicitation packet will be sent, which triggers the 'ip6mr_cache_report' function. The vulnerability manifests as a 'skb_under_panic' error, indicating that an invalid memory address was accessed, causing a kernel bug and a system crash.

Remediation

Users can upgrade to Linux kernel versions 6.5.0 or later, where this vulnerability has been fixed.