Linux Kernel IPv6 Calipso Module Headroom Handling Vulnerability Leading to Kernel Oops

A vulnerability in the Linux kernel's IPv6 Calipso module can cause a kernel oops by triggering a BUG_ON condition in the pskb_expand_head() function. This issue arises when the calipso_skbuff_setattr() routine is called with a headroom value greater than INT_MAX, leading to an implicit integer overflow. The problem occurs because the headroom check intended to prevent negative values fails under certain conditions, allowing a negative headroom size to be passed to pskb_expand_head(), which expects a non-negative value. The vulnerability can be exploited by manipulating the Calipso protocol handling in IPv6 to create a situation where the headroom calculation results in a negative value, causing the kernel to crash.

Impact

Exploitation of this vulnerability leads to a kernel oops, causing a crash by violating kernel memory management rules.

Reproduction

To reproduce this vulnerability, use the netlabelctl tool to manipulate Calipso protocol handling in IPv6. First, delete the default mapping, then add a Calipso pass entry. After setting up the Calipso protocol, create a UDP socket with IPv6, and prepare a message header. Allocate control message space for IPv6 hop-by-hop options, setting the hop size to an invalid value that triggers the vulnerability. Finally, send the message, causing the kernel to oops by hitting the BUG_ON condition in pskb_expand_head().

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.