Linux Kernel NULL Pointer Dereference Vulnerability in IPvlan L3s Mode

A NULL pointer dereference vulnerability has been identified in the Linux kernel's handling of IPvlan devices in L3s mode. This issue arises when an IPvlan L3s device is deleted, leading to a race condition. The function 'l3mdev_l3_rcv' accesses the device's 'l3mdev_ops' after the 'ipvlan_l3s_unregister' function has set 'l3mdev_ops' to NULL, causing a NULL pointer dereference. The vulnerability can be reproduced by creating an IPvlan L3s device, deleting it, and triggering network packet processing, which will result in a NULL pointer dereference and a system crash.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a system crash.

Reproduction

To reproduce this vulnerability, first create an IPvlan L3s device. Then, delete the device using the 'ip link del' command. This deletion will unset the 'l3mdev_ops' pointer. Afterward, initiate the processing of network packets, which will cause the NULL pointer dereference by accessing the now NULL 'l3mdev_ops' pointer, leading to a system crash.