NeKernal Heap-Based Buffer Overflow Vulnerability in rt_copy_memory Function

A heap-based buffer overflow vulnerability has been identified in NeKernal version 0.0.2, within the rt_copy_memory function. The issue arises because the function unconditionally writes a null terminator at a position that can exceed the allocated buffer size. Specifically, when the length parameter equals 256 bytes, the additional null byte overwrites adjacent memory, leading to potential heap metadata corruption and undefined behavior. This could cause a kernel crash or, in some cases, allow privilege escalation.

Impact

Exploitation of this vulnerability corrupts heap metadata, causing undefined behavior that could result in a kernel crash or, potentially, privilege escalation.

Reproduction

The vulnerability can be reproduced by calling the rt_copy_memory function with a destination buffer that is exactly 256 bytes long. This can be done, for example, by creating a file with a name that fills the buffer to its limit, which triggers the overflow by allowing an extra byte to be written past the allocated memory.

Remediation

Users can update to NeKernal version 0.0.3, where this vulnerability has been patched.