Linux Kernel Netfilter Heap-Based Buffer Overflow Vulnerability in Geneve Option Handling

A heap-based buffer overflow vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nft_tunnel subsystem. This issue arises when the parsing logic handles multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes. The current implementation incorrectly converts pointer arithmetic before the addition, leading to a heap out-of-bounds write. This vulnerability has been addressed by correcting the pointer arithmetic and type conversion in the parsing and dumping logic.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a netlink message that includes multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes. The nft_tunnel_obj_init function will then process these attributes, leading to a slab-out-of-bounds write, as reported by the Kernel Address Sanitizer (KASAN).