Linux Kernel Out-of-Bounds Memory Access Vulnerability in Netem Packet Corruption Logic

A vulnerability in the Linux kernel's netem packet scheduling component can lead to out-of-bounds memory access. This issue arises when fully non-linear packets are sent over an IPIP tunnel, causing the packet head length to be zero. The packet corruption logic then uses this zero value to select a random index for modifying packet data, leading to uncontrolled memory access. The vulnerability has been addressed by ensuring the packet head length is non-zero before applying corruption, allowing non-linear packets to bypass the logic without causing memory errors.

Impact

Exploitation of this vulnerability can cause out-of-bounds memory access, potentially leading to memory corruption or other undefined behavior.

Reproduction

To reproduce this vulnerability, send fully non-linear packets over an IPIP tunnel using an AF_PACKET TX_RING. The netem_enqueue() function will then process these packets, resulting in an out-of-bounds memory access due to the packet head length being zero.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree.