Linux Kernel NULL Pointer Dereference Vulnerability in IPv6 Route Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's IPv6 routing management. This issue arises in the 'ip6_rt_get_dev_rcu()' function, which can receive a NULL value when a slave device is being removed from a Virtual Routing and Forwarding (VRF) context. While most functions handle this scenario appropriately, the recent change in 'ip6_rt_pcpu_alloc()' has removed the necessary fallback to the loopback device. The vulnerability has been confirmed with the Kernel Address Sanitizer (KASAN), indicating a null pointer dereference within a specific memory range.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash or undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by un-subscribing a slave device from a VRF, which will cause the 'l3mdev_master_dev_rcu()' function to return NULL. This scenario can be triggered during normal network operations involving VRF and device management.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.