Linux Kernel Rxrpc Out-of-Bounds Read Vulnerability in RESPONSE Authenticator Parser

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's Rxrpc implementation. The issue arises in the RESPONSE authenticator parser, where the function 'rxgk_verify_authenticator()' incorrectly handles the length of authentication data. It copies a specified number of bytes into a temporary buffer and then miscalculates the end of the buffer when passing it to another function for verification. This flaw allows malformed RESPONSE authenticators to read beyond the allocated memory, potentially leading to memory corruption. The vulnerability has been addressed in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds error, as reported by the Kernel Address Sanitizer (KASAN). Such out-of-bounds reads can lead to information disclosure or memory corruption, allowing for more severe attacks, such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by processing a malformed RESPONSE authenticator in the Rxrpc connection. This can be done by implementing a scenario where the 'rxgk_verify_authenticator()' function is called with an authentication length that, when converted to a __be32 unit, exceeds the bounds of the allocated buffer. The out-of-bounds read can be observed as a KASAN report, indicating a slab-out-of-bounds error.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability. The patched version is available in the Linux kernel stable tree.