Linux Kernel AF_RXRPC Buffer Overflow Vulnerability in procfs Address Formatting

A vulnerability in the Linux kernel's AF_RXRPC implementation can lead to a buffer overflow. The procfs helpers for AF_RXRPC format socket addresses into fixed 50-byte stack buffers using a specific formatting directive. This buffer size is insufficient for the longest possible IPv6 address with a port, which can reach 51 bytes including the null terminator. The issue arises because the current formatting does not account for certain IPv6 address types, leading to potential overflow when the formatted address exceeds the buffer size.

Impact

Exploitation of this vulnerability can cause a buffer overflow, which may lead to arbitrary code execution or corruption of memory, depending on the specific circumstances.

Reproduction

The vulnerability can be reproduced by using the AF_RXRPC procfs helpers to format socket addresses. The formatting will exceed the buffer size when an IPv6 address with a port, such as one representing an ISATAP address, is processed. This can be observed by triggering the relevant procfs operations that involve socket address formatting.

Remediation

The vulnerability has been addressed by resizing the buffers used for socket address formatting to accommodate the maximum possible size of the formatted address, and by changing the formatting function to one that safely handles the larger size. Users should upgrade to the patched version of the Linux kernel.