Linux Kernel IPv4 ICMP Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's IPv4 ICMP implementation. This issue arises in the 'icmp_build_probe' function when the IPv6 stack is not active, leading to a kernel crash. The vulnerability occurs because the 'ipv6_dev_find' function can return an error pointer indicating that the IPv6 support is not available. If this error pointer is passed to 'dev_hold', it results in a null pointer dereference, causing a crash. The vulnerability has been addressed by modifying the function to silently discard the request instead of misreporting an error, which could lead to a crash.

Impact

Exploitation of this vulnerability causes a kernel crash due to a null pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with IPv6 support as a module (CONFIG_IPV6=m) but do not load the IPv6 module. Then, send an ICMP probe message that includes a valid IPv6 interface identifier. The 'icmp_build_probe' function will attempt to look up the IPv6 identifier, but will encounter the error condition, leading to a null pointer dereference and a kernel crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.