Linux Kernel Field-Spanning Memcpy Vulnerability in IPv6 AH Output

A vulnerability in the Linux kernel's handling of IPv6 extension headers in the Authentication Header (AH) output has been addressed. The issue involved a memcpy operation that spanned fields, leading to warnings about writing beyond the 16-byte limit of IPv6 address fields. This vulnerability was present in the Linux kernel stable tree and was introduced in version 6.5.0. The problem arose because extension headers were unintentionally placed after the IPv6 header in memory, causing false positive warnings. The vulnerability could potentially be exploited by manipulating IPv6 extension headers, but such a scenario would require a deep understanding of the kernel's networking stack and could be considered a low-probability exploit.

Impact

The vulnerability could lead to memory corruption by overwriting parts of the IPv6 header, which could be exploited to manipulate network traffic or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by sending IPv6 packets with crafted extension headers that exceed the normal size limits. This can be done using network testing tools that allow for the manipulation of packet headers, such as Scapy or similar utilities. The crafted packets should trigger the field-spanning memcpy operation in the AH6 output functions, generating the fortify-string warnings about the unsafe memory writes.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability. The patch for this issue is included in the official Linux kernel repositories.