Linux Kernel IPVS Component NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's IPVS (IP Virtual Server) component, specifically within the IPv4 handling code. This issue arises in versions of the Linux kernel prior to the latest patch, when the IPVS processes a packet in NAT mode with a misconfigured destination. The vulnerability occurs because the function '__ip_vs_get_out_rt()' calls 'dst_link_failure()' without ensuring that 'skb->dev' is properly set. This oversight leads to a NULL pointer dereference in 'fib_compute_spec_dst()' when 'ipv4_link_failure()' tries to send ICMP destination unreachable messages. The problem was introduced after a previous commit changed how IP options are handled, and although an attempt was made to address the NULL dereference, the fix was incomplete.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, which can lead to a denial of service by crashing the system.

Reproduction

To reproduce this vulnerability, IPVS must be configured to process packets in NAT mode with a misconfigured destination. When a route lookup fails, the error handling path is triggered, calling 'dst_link_failure()' with 'skb->dev' set to NULL. This sequence leads to the NULL pointer dereference in 'fib_compute_spec_dst()'.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.