Linux Kernel VLAN Device Type Enforcement Vulnerability

A vulnerability in the Linux kernel's handling of VLAN devices has been identified. VLAN devices were previously allowed on non-Ethernet devices, which not only lacked logical sense but also led to a bug that exposed a kernel function address to user mode. This issue arises during the initialization of GARP and MRP applications for the underlying device, where multicast addresses are added. The process can cause an out-of-bounds read if the device's address length exceeds six bytes, as GARP and MRP multicast addresses are only six bytes long. The vulnerability can be reproduced by creating a GRE tunnel, setting it up, and then adding a VLAN device on top of it, which triggers the out-of-bounds read by exposing the address of the GARP PDU receive function.

Impact

Exploitation of this vulnerability leads to an out-of-bounds read, allowing user mode to access sensitive kernel memory, potentially including addresses of kernel functions.

Reproduction

To reproduce this vulnerability, first create a GRE tunnel interface named 'gretest' on the loopback device. Once the tunnel is up, add a VLAN interface named 'vlantest' on top of the GRE tunnel, using VLAN ID 100. After the VLAN interface is created, the vulnerability can be confirmed by checking the multicast address table, which will reveal the address of the GARP PDU receive function, indicating that the out-of-bounds read has occurred.

Remediation

The vulnerability has been addressed by modifying the VLAN device initialization process to enforce the correct type for the underlying device, preventing the creation of VLANs on non-Ethernet devices.