Linux Kernel RxRPC Ticket Length Validation Vulnerability in Non-XDR Key Preparsing

A vulnerability exists in the Linux kernel's RxRPC implementation, specifically in the key payload parsing function 'rxrpc_preparse()'. This function has two parsing paths: one for large payloads using XDR (which correctly validates ticket lengths) and another for smaller payloads (28 bytes or less) that lacks proper validation. As a result, an unprivileged user can send a key with an excessively long ticket, which, when processed, causes the total token size to exceed allowed limits, triggering a warning. This issue has been addressed by adding the necessary validation in the non-XDR parsing path to ensure ticket lengths do not exceed specified maximums.

Impact

Exploitation of this vulnerability could lead to a warning being triggered due to an invalid token size, indicating a potential disruption in the expected operation of the RxRPC subsystem.

Reproduction

To reproduce this vulnerability, send a key payload through the non-XDR path of the 'rxrpc_preparse()' function that exceeds the maximum allowed ticket length. This can be done by manipulating the ticket length parameter to exceed the validated limits, which will cause the total token size calculation to surpass the maximum allowed length, triggering a warning.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux documentation.