Linux Kernel Shift-Out-of-Bounds Vulnerability in Flow Classifier

A vulnerability in the Linux kernel's network scheduling component, specifically within the flow classification code, has been identified. The issue arises because the TCA_FLOW_RSHIFT attribute was not properly validated, allowing for undefined behavior when a 32-bit integer is right-shifted by large values. This flaw was detected by the Undefined Behavior Sanitizer, which reported a shift-out-of-bounds error. The vulnerability is present in version 6.13.0-rc3 and could be exploited during the IPv6 address resolution process, potentially leading to incorrect packet handling or transmission.

Impact

Exploitation of this vulnerability causes a shift-out-of-bounds error, which can lead to undefined behavior in the kernel. Such undefined behavior could potentially be exploited to manipulate kernel operations or memory, creating a risk of more severe consequences, such as arbitrary code execution or system instability.

Reproduction

The vulnerability can be reproduced by using a flow classifier that accepts the TCA_FLOW_RSHIFT attribute. When this attribute is set to a value greater than 31, the kernel will attempt to right-shift a 32-bit integer by an invalid amount, triggering the shift-out-of-bounds error. This can be done by configuring a network interface to use a Geneve tunnel, which will pass the invalid shift value through the flow classification process.