Linux Kernel VJ-Compressed TCP Header Processing Vulnerability Allowing Out-of-Bounds Read

A vulnerability in the Linux kernel's handling of VJ-compressed TCP headers can lead to out-of-bounds reading. The issue arises in the SLIP (Serial Line Internet Protocol) compression driver, specifically within the 'slhc_uncompress()' function. This function processes compressed TCP headers by moving a pointer through the packet using the 'decode()' and 'pull16()' functions. However, these functions do not properly check the packet size, allowing 'decode()' to read beyond the packet's end. The over-read data is then incorporated into the internal state and affects subsequent packets. The vulnerability can be exploited by sending a short compressed frame that requests optional fields, causing 'decode()' to over-read and potentially expose sensitive data.

Impact

Exploitation of this vulnerability can lead to memory over-read, where data beyond the intended buffer is accessed. This could potentially be exploited to read sensitive information from memory or cause other unintended behaviors in the system.

Reproduction

To reproduce this vulnerability, send a VJ-compressed TCP packet that includes optional fields in the change byte. The 'slhc_uncompress()' function will process the packet, allowing the 'decode()' function to read past the end of the packet buffer. This can be done by crafting a TCP packet that takes advantage of the compression and optional field handling, and then transmitting it over a SLIP connection.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The commit addressing this issue is available in the Linux kernel stable tree.