Linux Kernel Oversized RESPONSE Authenticator Length Check Vulnerability in Rxrpc

A vulnerability in the Linux kernel's Rxrpc implementation allows oversized RESPONSE authenticators to be accepted, leading to a potential crash. The issue arises because the length check for the authenticator is inverted, allowing invalid lengths to be passed to the decryption function. This can result in a buffer length error that triggers a kernel bug check. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a kernel crash due to a buffer length error, triggering a bug check that halts the system.

Reproduction

The vulnerability can be reproduced by sending a packet with an oversized RESPONSE authenticator to a Rxrpc connection. The rxgk_verify_response() function will incorrectly accept the length, pass it to rxgk_decrypt_skb(), and eventually cause skb_to_sgvec() to encounter an invalid length, hitting a BUG_ON() check and crashing the kernel.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.