Linux Kernel BPF Packet Redirection Vulnerability Allowing Invalid Packet Lengths

A vulnerability in the Linux kernel's handling of BPF (Berkeley Packet Filter) packet redirection has been identified. The issue arises when BPF programs, such as those tested with 'bpf_prog_test_run_skb()', redirect empty socket buffers (SKBs) with a null head, leading to an invalid packet length. This flaw allows packets with incorrect lengths to be forwarded, potentially causing disruptions in packet flow management, such as with the fq_codel_drop() function, which attempts to drop flows without any SKBs.

Impact

Exploitation of this vulnerability could lead to improper packet handling, allowing invalid packets to disrupt network flow management processes.

Reproduction

The vulnerability can be reproduced by running a BPF program that redirects empty SKBs, specifically those with a null head, using the 'bpf_prog_test_run_skb()' function. This will create a scenario where the 'fq_codel_drop()' function tries to drop a flow that does not have any associated SKBs, causing the flow management to improperly handle the invalid packet.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.