Linux Kernel CAIF Integer Underflow Vulnerability in CFFRML Receive Function

An integer underflow vulnerability has been identified in the Linux kernel's CAIF protocol, specifically within the CFFRML receive function. This issue arises when the function processes a length field from the packet header. If the Frame Check Sequence (FCS) is disabled, the function subtracts 2 from the length without first ensuring that the length is 2 or greater. As a result, an attacker could send a malicious packet with a length of 0 or 1 to an interface with FCS disabled, causing the subtraction to underflow. This vulnerability can lead to memory exhaustion and instability in the kernel, with a potential for information disclosure if the packet's padding contains uninitialized kernel memory.

Impact

Exploitation of this vulnerability can cause memory exhaustion and instability in the Linux kernel, with a risk of disclosing uninitialized kernel memory.

Reproduction

To reproduce this vulnerability, send a packet to a Linux kernel interface that has the Frame Check Sequence (FCS) disabled. The packet must have a length field of 0 or 1. The CFFRML receive function will then process the packet, leading to an integer underflow when the length is subtracted without proper validation.

Remediation

The vulnerability has been addressed by modifying the CFFRML receive function to validate that the length is 2 or greater before performing the subtraction. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.