Linux Kernel PPPoE PFC Frame Dissection Vulnerability on MIPS Architecture

A vulnerability exists in the Linux kernel's handling of PPPoE frames with Protocol Field Compression (PFC) on MIPS architecture. RFC 2516 advises against using PFC with PPPoE, and while the pppd utility does not negotiate PFC for PPPoE sessions, the flow dissector driver incorrectly assumed frames were uncompressed. This oversight can lead to a 4-byte misalignment in the network header, causing an unaligned access exception on MIPS boards. The issue arises when a PPPoE PFC frame is sent to an Ethernet interface with Receive Packet Steering (RPS) enabled, even if no active PPPoE session is present.

Impact

Exploitation of this vulnerability causes an unaligned access exception on MIPS architectures, which can disrupt normal kernel operations and potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a PPPoE PFC frame to an Ethernet interface of a MIPS board with RPS enabled, even if no PPPoE session is active on that interface. The unaligned access exception can be observed as a kernel error.

Remediation

Users are advised to update to the latest version of the Linux kernel where this vulnerability has been addressed.