Linux Kernel BareUDP NULL Pointer Dereference Vulnerability in Metadata Function

A NULL pointer dereference vulnerability has been identified in the Linux kernel's BareUDP implementation. The issue arises in the 'bareudp_fill_metadata_dst()' function, which passes a socket reference to 'udp_tunnel6_dst_lookup()' without checking for NULL. This oversight can lead to a kernel crash when the BareUDP device is inactive, as the socket reference is NULLed during the 'bareudp_stop()' process. The vulnerability was introduced in a commit that added the BareUDP module for UDP tunnel encapsulation.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by invoking the 'bareudp_fill_metadata_dst()' function while the BareUDP device is stopped. This can be done by first bringing the device down, which NULLs the socket reference, and then calling the function, which will attempt to use the NULLed socket, causing a dereference error.

Remediation

The vulnerability has been addressed by adding a NULL check for the socket reference in the 'bareudp_fill_metadata_dst()' function. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.