Linux Kernel Netfilter DCCP Header Processing Vulnerability Allows Stack Buffer Overread

A stack buffer overread vulnerability has been identified in the Linux kernel's netfilter component, specifically within the connection tracking (conntrack) support for the Datagram Congestion Control Protocol (DCCP). This issue arises because the function 'nf_conntrack_dccp_packet()' only reads a limited portion of the DCCP header, leaving out critical information such as the header's length and certain sequence numbers. As a result, the function 'dccp_ack_seq()' can inadvertently access memory beyond the intended buffer, leading to a stack-out-of-bounds error. The vulnerability was exposed by a task named 'syz-executor.2', which is part of the Syzkaller fuzzer.

Impact

Exploitation of this vulnerability causes a stack-out-of-bounds read, which can potentially be leveraged to read sensitive information from the stack or disrupt the execution flow of the program.

Reproduction

The vulnerability can be reproduced by sending a crafted DCCP packet that exploits the connection tracking feature of netfilter. The packet should be designed to include a DCCP header that takes advantage of the 'nf_conntrack_dccp_packet()' function's oversight in header processing. This can be done using network tools or scripts that generate DCCP traffic, such as custom applications or network testing tools that support DCCP.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution in use.