Linux Kernel Signed Integer Overflow Vulnerability in IPv6 Data Handling

A signed integer overflow vulnerability has been identified in the Linux kernel's IPv6 data handling, specifically within the '__ip6_append_data' function of the 'ip6_output.c' file. This vulnerability arises from the 'length' variable being incorrectly typed, allowing for an overflow that cannot be properly represented as an integer. The issue was detected by Undefined Behavior Sanitizer (UBSAN), which reported the overflow occurring when adding two values that exceeded the maximum limit of the 'int' type. The vulnerability is present in Linux kernel versions 5.16.0 and later.

Impact

Exploitation of this vulnerability could lead to integer overflow, potentially allowing for memory corruption or other unintended behavior in the kernel.

Reproduction

The vulnerability can be reproduced by sending a UDP packet over IPv6 with a payload size that causes the total length to exceed the maximum value representable by an integer. This can be done using network tools or programming scripts that manipulate packet sizes. The overflow will trigger a UBSAN warning, indicating the signed-integer-overflow error.