Linux Kernel RxRPC Heap Buffer Overflow Vulnerability in RxGK Token Processing

A heap buffer overflow vulnerability has been identified in the Linux kernel's RxRPC implementation, specifically within the processing of RxGK tokens. This issue arises because the function responsible for parsing the tokens does not properly validate the raw key and ticket lengths before using them. When these lengths exceed a certain threshold, the rounding function wraps the values, leading to a situation where the memory allocation is based on an incorrect length. Consequently, approximately 4 GiB of data is copied into a buffer, creating a vulnerability that can be exploited by an unprivileged user through the add_key() function.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can potentially be used to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an XDR token that includes a raw key length or ticket length exceeding the maximum allowed value. The rxrpc_preparse_xdr_yfs_rxgk() function will then misinterpret these lengths, causing the vulnerability to manifest.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.