Linux Kernel RxRPC Response Packet Handling Vulnerability Unsharing Issue

A vulnerability in the Linux kernel's RxRPC implementation could lead to a packet sniffer observing decrypted RESPONSE packets as corrupt. This issue arises because the decryption process modifies the packet in place, potentially allowing a shared sk_buff to be intercepted by a sniffer. The vulnerability affects the Linux kernel stable tree, specifically in the RxRPC connection-level packet processing.

Impact

The vulnerability could cause decrypted RESPONSE packets to be misinterpreted as corrupt when observed by a packet sniffer, leading to confusion or misrepresentation of the data being transmitted.

Reproduction

The vulnerability can be reproduced by using RxRPC sockets that are shared with a packet sniffer. When RESPONSE packets are decrypted, the modification is done in place, creating an opportunity for the sniffer to see the altered packet as corrupt. This scenario can be simulated by intercepting the network traffic while the RxRPC connection is active and RESPONSE packets are being processed.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.