Linux Kernel ERSPAN Traffic Handling Vulnerability in GRE Tunnels Causes Kernel Panic

A vulnerability in the Linux kernel's handling of ERSPAN (Encapsulated Remote Switch Port Analyzer) traffic over GRE (Generic Routing Encapsulation) tunnels can lead to a kernel panic. This issue arises because the 'options_len' attribute of the 'ip_tunnel_info' structure, which is crucial for proper runtime bounds checking, is not initialized before being referenced. The vulnerability is present in the Linux kernel versions that are compiled with GCC 15 or later and have FORTIFY_SOURCE enabled. When ERSPAN traffic is processed in this state, it triggers a buffer overflow error, attempting to write data into an unallocated buffer, which the kernel's fortify feature detects, causing a panic. This vulnerability affects the stable branch of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial of service by abruptly terminating all processes and services on the system.

Reproduction

To reproduce this vulnerability, compile the Linux kernel with GCC 15 or later, ensuring that FORTIFY_SOURCE is enabled. Then, handle ERSPAN traffic over GRE tunnels. The kernel will panic due to a detected buffer overflow, as the 'options_len' attribute is not properly initialized before the 'options' array is referenced.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation or through the package management system of the respective Linux distribution.