Linux Kernel Netfilter Option Walker Tail Read Vulnerability

A vulnerability in the Linux kernel's netfilter component can lead to improper option handling in the x_tables abstraction layer for {ip,ip6,arp}_tables. When the last byte of options is a non-single-byte option kind, option walkers in the xt_tcpudp and xt_dccp modules can read past the end of the option area. This issue arises because the walkers advance based on the option length, potentially leading to a 1-byte tail read. The vulnerability has been addressed by adding a check to ensure the walker does not read beyond the intended boundary.

Impact

This vulnerability could be exploited to cause a 1-byte tail read, which may lead to information disclosure or other unintended behavior in the option handling of the affected modules.

Reproduction

The vulnerability can be reproduced by using netfilter option walkers in the xt_tcpudp or xt_dccp modules with a crafted options byte that includes a non-single-byte option kind as the last byte. The walker will read past the end of the option area, demonstrating the tail read vulnerability.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux kernel stable tree. Instructions for downloading the patched version can be found in the Linux kernel Git repository.