Linux Kernel TEQL NULL Pointer Dereference Vulnerability in iptunnel_xmit

A NULL pointer dereference vulnerability has been identified in the Linux kernel's TEQL (Traffic Equalization) scheduling mechanism. This issue arises when a gretap (Generic Routing Encapsulation over Ethernet) tunnel is configured as a TEQL slave. The problem occurs in the iptunnel_xmit() function, which is responsible for transmitting packets through the tunnel. The function fails to update the skb->dev (socket buffer device) to the correct slave device before initiating the transmission. As a result, the transmission path mistakenly references the TEQL master device, leading to a situation where the device statistics (tstats) for the TEQL slave are not properly allocated. This mismanagement causes a page fault, as the system attempts to access a non-existent memory page, disrupting normal kernel operations and potentially leading to a system crash.

Impact

Exploitation of this vulnerability causes a page fault in the kernel, specifically a NULL pointer dereference, which can disrupt system operations and potentially lead to a system crash.

Reproduction

To reproduce this vulnerability, create a TEQL interface and add a gretap tunnel as a slave. When packets are transmitted through the tunnel, the iptunnel_xmit() function will be called without the skb->dev being properly set to the slave device. This oversight will trigger a NULL pointer dereference when the function attempts to access the device statistics, leading to a page fault.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.