Linux Kernel RNDIS Host Integer Overflow Vulnerability in RNDIS Query Function

An integer overflow vulnerability has been identified in the Linux kernel's RNDIS host driver. The issue arises in the 'rndis_query' function, where the 'offset' and 'length' variables, both defined as uint32, are manipulated by incoming RNDIS response messages. This manipulation can lead to an overflow by setting 'offset' to an excessively large value, causing the sum of 'offset', 'length', and 8 to exceed the maximum value for a 32-bit integer. This overflow bypasses the validation checks, allowing the response pointer to reference memory beyond the intended buffer limits. As a result, this vulnerability could be exploited to leak information, such as the permanent address OID, through the RNDIS_OID_802_3_PERMANENT_ADDRESS object identifier.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure by allowing access to memory locations beyond the intended buffer boundaries, potentially leaking sensitive data such as the RNDIS permanent address.

Reproduction

The vulnerability can be reproduced by sending a crafted RNDIS response message that includes a manipulated 'offset' value in the 'rndis_query' function. The 'offset' should be set to a large value that, when added to the 'length' and 8, causes an overflow. This can be done by exploiting the way the RNDIS host driver processes incoming response messages, particularly by controlling the 'offset' and 'length' variables to bypass the buffer size validation.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The commit that addresses this issue is available in the Linux kernel stable tree.