Linux Kernel CALIPSO Option Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's handling of CALIPSO options. This issue arises in the 'calipso_req_setattr' and 'calipso_req_delattr' functions, where a NULL pointer, related to the request socket listener, can be dereferenced. The vulnerability was reported by syzkaller and can be reproduced on Fedora. The issue occurs when SYN Cookies are enabled, as they can cause the request socket listener to be NULL, leading to a general protection fault.

Impact

Exploitation of this vulnerability causes a general protection fault due to the null pointer dereference, which can lead to a crash of the affected process or service.

Reproduction

The vulnerability can be reproduced by sending TCP SYN packets to a vulnerable system with CALIPSO options enabled. This can be done using a tool like 'nc' (netcat) that supports sending custom TCP packets. The 'connect' operation will time out, indicating that the vulnerability has been triggered. Meanwhile, the system log will show a 'possible SYN flooding' warning, and the kernel will report a null pointer dereference error, confirming the vulnerability's exploitation.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the 'calipso_req_setattr' and 'calipso_req_delattr' functions to return an error when SYN Cookies are active, preventing the null pointer dereference.