Linux Kernel DCCP Out-of-Bounds Access Vulnerability in Error Handler

A vulnerability has been identified in the Linux kernel's Datagram Congestion Control Protocol (DCCP) error handling, specifically in versions prior to the latest patch. The issue arises from an out-of-bounds access where the error handlers incorrectly assumed they only needed to read the first 8 bytes of the DCCP header. In reality, they also require access to the DCCP sequence number, which is located beyond the initial 8 bytes. This oversight necessitates an explicit call to 'pskb_may_pull()' to ensure proper data handling.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing the error handler to read beyond the allocated buffer, potentially causing a crash or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending DCCP packets that trigger the error handling routines in the kernel. This can be done using network tools that allow for the manipulation of packet headers, such as Scapy or hping, to create DCCP packets that include a payload exceeding the header's expected length. Once the packet is sent, the error handler will attempt to process the DCCP header, leading to an out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the kernel can be found in the official Linux documentation or through the package manager for your Linux distribution.