Linux Kernel virtio-net Buffer Length Check Vulnerability in Big Packets

A vulnerability exists in the Linux kernel's virtio-net implementation, specifically related to how large packets are handled. After a previous change that made the packet buffer size dependent on the negotiated MTU, a vulnerability was introduced. The current length check does not properly account for this change, allowing the host to announce incorrect buffer lengths. This can lead to a NULL pointer dereference when the received length exceeds the allocated size, causing a potential crash.

Impact

Exploitation of this vulnerability can lead to a NULL pointer dereference, causing a crash of the affected system.

Reproduction

The vulnerability can be reproduced by modifying the host's vhost_net driver's get_rx_bufs function to announce an incorrect buffer length. When the guest's GSO (Generic Segmentation Offload) is turned off, the virtio-net driver allocates buffer sizes for large packets based on the negotiated MTU, rather than the maximum possible size. If the host then reports a length that exceeds what was allocated, the driver will dereference a NULL pointer, leading to a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.