Linux Kernel BPF and KTLS Data Corruption Vulnerability

A vulnerability in the Linux kernel's handling of TLS data over sockets has been fixed. The issue arose in the BPF (Berkeley Packet Filter) message processing when using KTLS (Kernel TLS) support. Initially, the kernel correctly calculated the length of ciphertext data when sending plaintext. However, if the plaintext length was later reduced through socket policy, the corresponding ciphertext length was not updated. This oversight led to the transmission of buffers with uninitialized data, causing errors on the receiving end when parsing TLS records. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could cause data corruption by appending uninitialized bytes to TLS records, leading to parsing errors on the receiving side.

Reproduction

The vulnerability can be reproduced by sending plaintext data over a socket with KTLS enabled, and then reducing the plaintext length via socket policy. This will result in the ciphertext length not being properly adjusted, causing uninitialized data to be transmitted.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.