Linux Kernel ARM64 Alignment Fault Vulnerability in Multipath Hash Seed Handling

A vulnerability in the Linux kernel's handling of the multipath hash seed for IPv4 can lead to an alignment fault on ARM64 architectures. The issue arises because the 'sysctl_fib_multipath_hash_seed' structure, which contains two 32-bit fields, is treated as an 8-byte structure with a 4-byte alignment requirement. When the hash seed is read using the 'READ_ONCE()' macro, it evaluates the entire structure atomically, which can cause a fatal kernel panic if compiled with Clang and Link Time Optimization (LTO) enabled. This is because Clang emits a 64-bit load instruction that, when executed on a 4-byte aligned address, triggers a strict alignment fault. The vulnerability also exposes a tear-write issue when writing to the structure, as Clang splits the 8-byte write into two 32-bit instructions, destroying atomicity. The vulnerability has been addressed by modifying the read and write operations to ensure proper alignment and atomicity, and by adding missing read operations to maintain concurrency safety.

Impact

Exploitation of this vulnerability causes a kernel panic due to an alignment fault, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by compiling the Linux kernel with Clang and LTO enabled, and then triggering a read operation on the 'sysctl_fib_multipath_hash_seed' structure in the IPv4 net namespace. This can be done by accessing the corresponding sysctl interface, which will invoke the 'proc_fib_multipath_hash_seed' function. The misalignment issue will cause a kernel panic, demonstrating the vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.