Linux Kernel ICMP Error Handling Vulnerability in IP Tunneling

A vulnerability in the Linux kernel's IP tunneling implementation can lead to a KASAN (Kernel Address Sanitizer) error. When an ICMP error is generated in response to a nonlinear socket buffer, it causes a slab-out-of-bounds read error. This issue was observed in the Linux kernel version 6.5.0-rc3+ while running the 'iperf3' application. The vulnerability arises because the 'ip_compute_csum' function cannot process nonlinear socket buffers, leading to memory access violations.

Impact

Exploitation of this vulnerability causes a KASAN slab-out-of-bounds error, indicating a memory access violation that could potentially be exploited to cause a denial of service.

Reproduction

The vulnerability can be reproduced by sending an ICMP error response to a nonlinear socket buffer within an IP tunnel. This can be done by using the 'iperf3' tool to generate traffic that creates a nonlinear socket buffer, and then triggering Path MTU Discovery (PMTUD) which responds with an ICMP error. The 'ip_compute_csum' function will attempt to process the ICMP checksum for the error response, leading to the out-of-bounds memory access.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.