Linux Kernel Geneve Option Length Integer Overflow Vulnerability Leading to Heap Out-of-Bounds Read

A vulnerability in the Linux kernel's handling of Geneve options can lead to a heap out-of-bounds read. The issue arises because the Geneve option structure uses a 5-bit length field for each option, allowing for a maximum size of 127 bytes. However, current Netlink policies do not enforce this length restriction, enabling an attacker to exploit a precisely 128-byte option to fake a zero-length option. This deception confuses the parsing logic, resulting in an out-of-bounds read from the heap. The vulnerability has been observed to cause a crash, as indicated by a kernel log reporting a slab-out-of-bounds error.

Impact

Exploitation of this vulnerability causes a heap out-of-bounds read, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a Netlink message that includes a Geneve option exactly 128 bytes in size. This option will be interpreted as a zero-length option due to the overflow, causing the parsing logic to read beyond the intended bounds and into adjacent memory.

Remediation

The vulnerability has been addressed by enforcing the correct length conditions in the relevant Netlink policies.