Linux Kernel Out-of-Bounds ELF Section Index Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's module loader can cause a kernel panic by mishandling ELF section indices. The issue arises in the 'simplify_symbols' function, where the loader fails to validate the bounds of the section index. This oversight allows symbols with out-of-bounds indices, such as 0xffff (SHN_XINDEX or SHN_HIRESERVE), to be processed, leading to a page fault and a fatal exception that halts the kernel. The problem can occur with legitimate ELF modules using SHN_XINDEX or with corrupted ones. This vulnerability was introduced by a bug in 'llvm-objcopy'.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, load a kernel module that contains an ELF symbol with an out-of-bounds section index, such as 0xffff. This can be done by creating a custom kernel module that intentionally uses an invalid index or by corrupting a legitimate module's ELF metadata to include an out-of-bounds value. Once the module is loaded, the kernel will panic, indicating it was unable to handle a page fault caused by the invalid section index.

Remediation

The vulnerability has been addressed in the Linux kernel by adding a bounds check in the 'simplify_symbols' function to ensure that section indices are valid before they are used. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.