Linux Kernel Fortify Source Vulnerability in String Length Handling Under UBSAN Local Bounds

A vulnerability has been identified in the Linux kernel's handling of string lengths when the Fortify Source feature is enabled, alongside Undefined Behavior Sanitizer (UBSAN) local bounds checks. This issue can lead to a runtime panic, particularly when running Android's Compatibility Test Suite (CTS) for input hardware. The problem arises in the 'hidinput_allocate()' function, where a control flow-dependent string length calculation can cause out-of-bounds access, ultimately leading to a fault. The vulnerability is present in the stable Linux kernel releases that include the problematic Fortify Source implementation.

Impact

Exploitation of this vulnerability causes a runtime panic, leading to a crash of the affected process or application.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with both CONFIG_FORTIFY and CONFIG_UBSAN_LOCAL_BOUNDS options enabled. Then, run Android's Compatibility Test Suite, specifically the 'android.hardware.input.cts.tests' section. The 'hidinput_allocate()' function will be called with a local string variable that depends on control flow, causing the Fortify Source string length calculation to exceed the actual string length, leading to a runtime panic.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux stable tree.