Linux Kernel IPv6 Route Management Vulnerability Leading to Kernel BUG

A vulnerability in the Linux kernel's IPv6 route management can cause a kernel BUG. This issue arises in the 'fib6_add_rt2node()' function when adding an IPv6 route. The problem was introduced by a previous commit that cleared the RTF_ADDRCONF flag from existing routes when a static route with the same next hop was added. This clearing process can create issues when the route has a gateway, as it then becomes eligible for Equal-Cost Multi-Path (ECMP) routing. However, the route was never added to the 'fib6_siblings' list, leading to a mismatch in sibling count. When another ECMP route is added, the 'fib6_add_rt2node()' function encounters a bug due to the count discrepancy. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can lead to a kernel BUG, causing a crash or unexpected behavior in the system.

Reproduction

The vulnerability can be reproduced by adding a static IPv6 route with a gateway, which will trigger the bug in the 'fib6_add_rt2node()' function. This can be done using the 'ip' command to add a static route via a network interface that supports IPv6. The 'fib6_add_rt2node()' function will then encounter a kernel BUG due to the mismatch in ECMP sibling counts.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux kernel documentation.