Linux Kernel Open vSwitch Attribute Validation Vulnerability in NSH Push Action

A vulnerability exists in the Linux kernel's Open vSwitch component, specifically within the handling of the push_nsh() action. This issue arises from inadequate validation of nested attributes, which can lead to memory access errors. The vulnerability is present in the stable Linux kernel versions that include the problematic Open vSwitch NSH support. The issue stems from the OVS_ACTION_ATTR_PUSH_NSH attribute not being properly validated before use, allowing for potential invalid memory access. Exploitation of this vulnerability can cause a slab-out-of-bounds memory error, as reported by the Kernel Address Sanitizer (KASAN).

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds memory error, leading to invalid memory access that can potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a netlink message that includes the OVS_ACTION_ATTR_PUSH_NSH attribute with improperly sized or nested OVS_KEY_ATTR_NSH attributes. This can be done using a custom application that interacts with Open vSwitch's flow management via netlink, ensuring that the NSH key attributes are malformed in a way that bypasses the validation checks.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.