Linux Kernel QMI WWAN MAC Header Initialization Vulnerability Leading to Kernel Panics on ARM

A vulnerability exists in the Linux kernel's handling of raw IP packets within the QMI WWAN USB driver. These packets lack a MAC header, leaving the socket buffer's MAC header field uninitialized. This oversight can cause kernel panics on ARM64 systems when the IPsec subsystem accesses the uninitialized header, due to strict alignment requirements. The issue can also trigger panics on ARM architectures running IPsec over the QMI multiplexed interface. The vulnerability has been addressed by modifying the QMI WWAN driver to properly initialize the MAC header for raw IP packets, ensuring compatibility with subsystems like IPsec that rely on correct header alignment.

Impact

Exploitation of this vulnerability can lead to kernel panics, causing system instability and disruption of network services. On ARM64, the issue arises when IPsec is used over the QMI multiplexed interface, while on ARM, it can cause panics during IPsec operations, regardless of the QMI interface.

Reproduction

To reproduce this vulnerability, send raw IP packets over a QMI WWAN interface without a MAC header. This can be done using a USB device that supports the QMI WWAN protocol, such as certain mobile broadband modems. Once the packets are sent, the lack of a MAC header will cause the kernel to panic when IPsec or other subsystems attempt to process the packets, leading to a crash.

Remediation

The vulnerability has been fixed in the Linux kernel stable tree. Users can upgrade to the latest version of the kernel to apply the patch.