Linux Kernel IOAM6 Schema Length Wraparound Vulnerability in Trace Data Handling

A vulnerability in the Linux kernel's IOAM6 (In-situ Operations, Administration, and Maintenance) implementation for IPv6 has been addressed. The issue arose because the function responsible for filling trace data with schema contributions used an 8-bit unsigned integer to store the length of the schema. When the largest schema payload was processed, the length calculation wrapped around, bypassing a crucial remaining-space check. This oversight allowed the function to overwrite parts of the trace buffer by copying the full schema payload and header without properly reserving space first. The vulnerability has been fixed by changing the data type of the length variable to an unsigned integer, ensuring that the full length is accurately represented and that the remaining-space check functions correctly.

Impact

Exploitation of this vulnerability could lead to a buffer overflow, where data is written beyond the allocated memory space, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by enabling bit 22 in the IOAM6 schema payload, which causes the length calculation to overflow. This can be done by creating a payload that exceeds the maximum length, triggering the wraparound effect. Once the payload is processed by the 'ioam6_fill_trace_data()' function, the vulnerability will manifest as a buffer overrun, with the trace buffer being overwritten by the excess data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.