Linux Kernel IPv6 Source Routing Header Vulnerability Leading to Out-of-Bounds Write

A vulnerability in the Linux kernel's handling of IPv6 Source Routing Headers can cause an out-of-bounds write. This issue arises in the 'ipv6_rpl_srh_rcv()' function, which decompresses a Source Routing Header, swaps segments, and then recompresses the header. The recompressed header can exceed the original size, particularly when segment swapping reduces the shared prefix length with the destination address. This discrepancy can lead to unchecked headroom consumption, allowing a single packet to cause a 14-byte out-of-bounds write, as reported by KASAN.

Impact

Exploitation of this vulnerability results in a 14-byte out-of-bounds write, which can potentially be exploited to overwrite memory and cause undefined behavior.

Reproduction

The vulnerability can be reproduced by sending an IPv6 packet with a Source Routing Header that includes two segments. The first segment should be swapped into the destination address, and the header should be recompressed in a way that increases its size. This can be done using raw sockets over the loopback interface.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.