Linux Kernel IOAM6 Heap Buffer Overflow Vulnerability in IPv6 Extension Headers

A heap buffer overflow vulnerability has been identified in the Linux kernel's IOAM6 (In-situ Operations, Administration, and Maintenance) implementation for IPv6. This issue arises in the function '__ioam6_fill_trace_data()' when processing incoming packets. The function relies on the 'nodelen' field of the trace header to determine how much data to write, but it does not validate this field against the 'type' field, which indicates which data items are present. An attacker can craft a packet that sets 'nodelen' to zero while manipulating the type bits, causing the function to write approximately 100 bytes beyond the allocated buffer into shared kernel memory. This memory corruption leads to a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic due to memory corruption, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, send a crafted IPv6 packet that manipulates the IOAM6 trace header. Set the 'nodelen' field to zero while activating type bits 0-21. This combination will trigger the buffer overflow by causing the '__ioam6_fill_trace_data()' function to write beyond the allocated memory, into the 'skb_shared_info' structure, which is part of the kernel's shared memory management.

Remediation

The vulnerability has been addressed by adding a consistency check for the 'nodelen' field in relation to the 'type' field, ensuring that only valid data lengths are processed. Users should upgrade to the latest stable version of the Linux kernel where this fix has been applied.