Linux Kernel NAT46 BPF Program NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's handling of NAT46 BPF programs can lead to a NULL pointer dereference, causing a kernel crash. This issue arises when a BPF program indiscriminately converts ingress IPv4 packets to IPv6, without properly managing the packet's destination metadata. The vulnerability has been addressed by clearing the destination information in all BPF helpers that modify the packet protocol, ensuring that multicast packets are correctly processed without leaving outdated IPv4 metadata.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

To reproduce this vulnerability, attach a BPF program to a network interface that converts IPv4 packets to IPv6 at the ingress stage. This can be done using the 'tc' command to apply a BPF program that alters packet headers. Once the program is active, send IPv4 multicast packets through the interface. The BPF program will convert these packets to IPv6, but the destination metadata will still reference IPv4, causing a NULL pointer dereference when the kernel attempts to process the packet as IPv6.

Remediation

The vulnerability has been fixed in the official Linux Git repository. Users should upgrade to the latest version of the Linux kernel where this issue has been addressed.