Linux Kernel Virtio Vsock Packet Header Length Validation Vulnerability

A vulnerability in the Linux kernel's handling of virtio vsock packets can lead to a socket buffer (SKB) overflow. This issue arises because, when a vsock packet is received in the guest, only the virtqueue buffer size is checked before the packet is processed. The function 'virtio_vsock_skb_rx_put()' uses the length from the packet header to update the SKB, which can cause an overflow if the host behaves unexpectedly. The vulnerability has been addressed by adding validation to ensure the length indicated by the packet header is correct before updating the SKB.

Impact

Exploitation of this vulnerability could lead to a buffer overflow in the socket buffer, potentially allowing for arbitrary code execution or other unintended behavior.

Reproduction

The vulnerability can be reproduced by sending a vsock packet to a guest virtual machine that is using the virtio transport. The packet should be crafted to include a length in the header that exceeds the actual size of the data, bypassing the virtqueue buffer size check. This will trigger the SKB overflow condition by causing 'virtio_vsock_skb_rx_put()' to add more data to the socket buffer than it can safely handle.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Archive.