Linux Kernel VJ Compression Null Pointer Dereference Vulnerability in PPP Instances

A vulnerability in the Linux kernel's handling of VJ compression over PPP can lead to a null pointer dereference, causing a kernel crash. This issue arises when the SLIP driver is configured to have no receive compression, leaving the receive state array uninitialized. The vulnerability is triggered by an unprivileged user namespace through a crafted PPPIOCSMAXCID command, which exploits the absence of proper validation in the VJ compression slot parameters. Once the malformed state is established, any VJ-compressed or uncompressed frame that selects the affected slot will crash the kernel.

Impact

Exploitation of this vulnerability causes a general protection fault, crashing the kernel due to a null pointer dereference in the SLIP driver's VJ uncompression function, while the receive state is missing.

Reproduction

The vulnerability can be reproduced by opening a PPP device from an unprivileged user namespace and sending a PPPIOCSMAXCID command that includes a value designed to bypass the VJ compression slot validation. This effectively sets the receive slots to zero, which is accepted as a valid configuration but leads to the receive state being null. After this, any incoming VJ-compressed or uncompressed frame that targets the first slot will trigger the null pointer dereference, causing the kernel to crash.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the latest kernel can be found on the official Linux kernel website.