Linux Kernel Open vSwitch Vport Netlink Upcall PID Array Buffer Overflow Vulnerability

A buffer overflow vulnerability has been identified in the Open vSwitch (OVS) component of the Linux kernel. This issue arises within the vport netlink reply helpers, which allocate a fixed-size socket buffer (skb) but serialize the entire upcall PID array without proper size validation. A user with CAP_NET_ADMIN privileges can exploit this by sending a PID array large enough to overflow the allocated buffer. This vulnerability is particularly concerning on systems with unprivileged user namespaces enabled, such as the default Ubuntu configuration, where it can be exploited using the 'unshare -Urn' command. The flaw leads to a kernel panic, causing a fatal exception and a crash.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a crash of the affected system.

Reproduction

To reproduce this vulnerability, first ensure that the system is running a version of the Linux kernel with Open vSwitch installed and unprivileged user namespaces enabled. Then, use a process with CAP_NET_ADMIN privileges to send a netlink message through the Open vSwitch vport interface. The message should include a PID array that exceeds the size limitations, specifically one that is a non-zero multiple of the size of a 32-bit integer, and large enough to cause the netlink reply buffer to overflow. This can be done by using the 'unshare -Urn' command to create a new user namespace and then performing an operation that triggers the vport upcall PID handling, such as modifying a virtual port's configuration.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.