Linux Kernel Segmentation Fault Vulnerability in LWTunnels

A vulnerability in the Linux kernel's Segment Routing (SR) implementation can lead to improper handling of destination caches in lightweight tunnels. This issue arises because the SR tunnels use a single destination cache for both input and output paths, which can create conflicts when the paths are processed in different routing contexts. As a result, one path may overwrite the cache used by the other, bypassing necessary routing lookups. The vulnerability affects the Linux kernel stable group.

Impact

Exploitation of this vulnerability can cause segmentation faults in the kernel, potentially leading to denial of service conditions.

Reproduction

The vulnerability can be reproduced by creating a lightweight tunnel that uses Segment Routing. When packets are sent through the tunnel, the input and output paths will share the same destination cache. If the input path is processed first, it will populate the cache, and the output path will blindly reuse this cached information without performing its own routing lookup. This can be observed by monitoring the packet processing in different routing contexts, such as ingress interface rules or Virtual Routing and Forwarding (VRF) table separations.

Remediation

The vulnerability has been addressed by modifying the Segment Routing lightweight tunnel implementation to use separate destination caches for input and output paths. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.