Linux Kernel Tun Driver Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's tun driver. The issue arises in version 6.13.0-rc1 due to a flaw in the 'tun_napi_alloc_frags' function, where the implementation incorrectly processes I/O vector components. This oversight leads to the creation of a malformed socket buffer, causing a kernel crash. The vulnerability was reported by syzbot, a tool that detects bugs in the Linux kernel.

Impact

Exploitation of this vulnerability causes a kernel crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by writing data to a tun device using the 'tun_chr_write_iter' function. This process involves the 'do_iter_readv_writev' function, which handles vectorized I/O operations. The incorrect handling of the I/O vector components in the 'tun_napi_alloc_frags' function results in a malformed socket buffer, triggering a kernel crash.