Linux Kernel NULL Pointer Dereference Vulnerability in UDP GSO Segmentation

A vulnerability in the Linux kernel's handling of UDP Generic Segmentation Offload (GSO) has been identified, leading to a NULL pointer dereference. This issue arises from the improper segmentation of packets with shared headers, causing corruption in the socket buffer (skb) fragmentation list. The vulnerability was triggered by GRO-processed packets sent through a bridge to both local and egress devices, such as tun. The problem has been addressed by ensuring that the skb heads are writable before modifying the shared information, preventing the corruption.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, leading to a crash. However, such NULL pointer dereferences can sometimes be exploited to execute arbitrary code in the kernel context.

Reproduction

To reproduce this vulnerability, create a bridge that feeds packets processed by the receive-side Generic Receive Offload (GRO) list into both the local input path and an egress device, such as a tun interface. This will simulate the conditions that trigger the skb corruption. The vulnerability can be observed by monitoring for kernel oops messages indicating a NULL pointer dereference.

Remediation

Users can upgrade to the latest patched version of the Linux kernel to address this vulnerability.