Linux Kernel Out-of-Bounds Write Vulnerability in BPF Crypto Function

A vulnerability allowing out-of-bounds writes has been identified in the Linux kernel's BPF crypto function, bpf_crypto_crypt. This issue arises because the function does not properly validate the sizes of destination and source dynamic pointers before performing cryptographic operations. As a result, if the destination buffer is smaller than the source, it can lead to memory corruption. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause memory corruption by allowing writes beyond the allocated buffer boundaries, potentially leading to arbitrary code execution or other unintended behavior.

Reproduction

To reproduce this vulnerability, a BPF program must be crafted that uses the bpf_crypto_crypt function. The program should provide a source dynamic pointer that is larger than the destination dynamic pointer. When the function is called, the lack of size validation will allow data to be written outside the bounds of the destination buffer.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for upgrading the Linux kernel can be found in the official Linux kernel documentation.