Linux Kernel TIPC Link MTU Negotiation Vulnerability Leading to Denial-of-Service

A vulnerability in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem allows for a denial-of-service condition. During link MTU (Maximum Transmission Unit) negotiation, a malicious peer can send an Activate message with an excessively small MTU value, such as 4 bytes. This small value is accepted without verification against the minimum MTU requirement, causing an integer overflow when the MTU is processed. The resulting incorrect MTU value leads to the allocation of a large skb (socket buffer) that, when purged, causes a crash in the kernel. This issue has been addressed by implementing a check to ensure that the new MTU value meets the minimum requirement before allowing the update.

Impact

Exploitation of this vulnerability causes a general protection fault in the Linux kernel, likely due to a non-canonical memory address, leading to a crash of the kernel. This behavior was observed in Linux kernel version 6.3.0.

Reproduction

The vulnerability can be reproduced by sending a TIPC Activate message with a very small MTU value, such as 4 bytes, to a target system. The TIPC link protocol will accept this value without checking for the minimum MTU requirement. As a result, an integer overflow occurs, setting the link's MTU to an incorrect value that causes a crash when the system attempts to process network traffic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.