Linux Kernel VLAN TCI Handling Vulnerability in af_packet Component

A vulnerability in the Linux kernel's af_packet component has been addressed, which involved improper handling of VLAN TCI (Traffic Class Identifier) in the 'vlan_get_tci()' function. The original issue, identified by syzbot, was related to the 'MSG_PEEK' flag, which was overlooked in a previous fix. This oversight could lead to a kernel crash. The vulnerability arose because the 'vlan_get_tci()' function modified the socket buffer (skb) in a way that was not thread-safe, allowing potential crashes when accessed by multiple CPUs simultaneously. The issue was resolved by reworking the function to avoid altering the skb, thereby ensuring safe concurrent usage.

Impact

Exploitation of this vulnerability could lead to a kernel crash, causing a denial of service.

Reproduction

The vulnerability can be reproduced by sending a packet with the 'MSG_PEEK' flag set, which will trigger the 'vlan_get_tci()' function. The function's improper handling of the socket buffer will cause a kernel panic, resulting in a crash.