Linux Kernel IP6 Tunnel CB Clearing Vulnerability in IPv4 over IPv6 Tunnels

A vulnerability exists in the Linux kernel's IP6 tunnel handling, specifically within the IPv4 over IPv6 tunneling feature. The issue arises because the IP4IP6_ERR function processes a cloned socket buffer (skb) that has been modified by the IPv6 receive path. This buffer's control block (cb) is interpreted as an IPv4 structure, leading to a mismatch. The discrepancy allows the function to read data from an attacker-controlled packet and potentially overwrite a fixed-size stack buffer, creating a risk of stack-based buffer overflow.

Impact

Exploitation of this vulnerability could lead to a stack-based buffer overflow, allowing for arbitrary code execution or causing a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, send an IPv6 packet that will be processed by the IP6 tunnel module, ensuring that the packet includes data that can be interpreted as an IPv4 control block. The IP4IP6_ERR function will then misinterpret the IPv6 control data, leading to the buffer overflow condition.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository under the stable branch.