Linux Kernel Signed Integer Overflow Vulnerability in TCP Backlog Management

A signed integer overflow vulnerability has been identified in the Linux kernel's TCP backlog management function, tcp_add_backlog(). This issue arises because the function calculates a limit by adding the receive buffer (sk_rcvbuf), send buffer (sk_sndbuf), and a fixed value of 64KB. This calculation can exceed the maximum value of an integer, leading to an overflow. The vulnerability is present in the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to improper handling of TCP packets, potentially causing memory corruption or other unintended behavior in the network stack.

Reproduction

The vulnerability can be reproduced by invoking the tcp_add_backlog() function with a socket that has a large receive buffer and send buffer. The function will incorrectly calculate the limit, allowing for a signed integer overflow.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.