CVE CyberSecurity Database News

CVE-2019-25160 - How Out-of-Bounds Bugs in Linux netlabel Could Crash Your System

Poster -

In February 2021, the Linux kernel team patched a subtle but serious vulnerability, now tracked as CVE-2019-25160, that lurked quietly for years inside the netlabel subsystem. This bug is a great example of how a single misplaced array check can have dramatic impact on the stability and security of an operating system.

Let’s break down what happened, how the bug works, see code snippets, and examine how the fix landed in the mainline kernel. By the end, you’ll understand not only how this CVE could have been exploited, but also how you can check and patch your own systems.

The Vulnerability at a Glance

The Linux kernel provides a way to label network packets with security information, called NetLabel. Within this subsystem, two functions, cipso_v4_map_lvl_valid() and netlbl_bitmap_walk(), contained classic array out-of-bounds memory accesses.

Unpredictably corrupt kernel memory (worse things…)

The bugs were described as “embarrassingly simple” by the kernel maintainers—and so are their fixes.

Diving into the Bug: Code Walkthrough

Let’s look at how the vulnerabilities happened. The explanation is straightforward: these functions accessed arrays without checking the upper bounds properly.

This function sits in the netlabel’s CIPSO LSM (Common IP Security Option, Linux Security Module)

static int cipso_v4_map_lvl_valid(const struct cipso_v4_doi *doi_def,
                                  u8 lvl)
{
    if (doi_def->map.std->lvl_valid[lvl])
        return 1;
    return ;
}

This helper inspects a bitmap using a size parameter

int netlbl_bitmap_walk(const unsigned long *bitmap, u32 bitmap_len,
                       u32 offset, int invert)
{
    for (i = offset; i < bitmap_len; i++) {
        // ... access bitmap[i]
    }
}

In early kernels, this function did not properly ensure that i never exceeded the size of bitmap, enabling out-of-bounds memory access.

Set lvl or bitmap offset: Pass a value high enough to make out-of-bounds array access happen.

3. Trigger a crash: The kernel attempts to access memory it shouldn’t, leading to a crash (oops/panic) or, in some systems, leaking adjacent memory contents.

A minimal C program to trigger the bug would look like this (conceptual, not plug-and-play)

#include <netinet/ip.h>
#include <sys/socket.h>
#include <string.h>

int main() {
    int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
    // Craft a packet with malformed CIPSO options
    char packet[60] = {};

    // Fill in IP header with options...
    struct iphdr *ip = (struct iphdr *)packet;
    ip->ihl = 15; // 60 bytes / 4
    ip->version = 4;
    ip->tot_len = htons(60);
    // ... add bogus CIPSO option with invalid "lvl" field

    // send to localhost
    struct sockaddr_in dst = {};
    dst.sin_family = AF_INET;
    dst.sin_addr.s_addr = htonl(INADDR_LOOPBACK);

    sendto(sock, packet, sizeof(packet), , (struct sockaddr *)&dst, sizeof(dst));
    return ;
}

If the system is vulnerable, this could crash the kernel.

The Patch: Fixing the Check

According to the upstream commit:

Before (bad)

if (doi_def->map.std->lvl_valid[lvl]) // No bounds check!

After (fixed)

if (lvl < CIPSO_V4_INV_LVL && doi_def->map.std->lvl_valid[lvl])
    return 1;

Now, lvl is validated against the max array size (likely 256 or less).

Similar guard logic was added wherever bitmaps or arrays were walked.

Instead, patch wherever you find cipso_v4_bitmap_walk().

This ensures you’re catching the bug, even if it was moved/renamed in newer source.

Update your kernel! Most distros include this patch if you’re up-to-date

- Check: uname -r and compare with your distro’s advisory for CVE-2019-25160

- Upstream Linux commit (fix)
- CVE-2019-25160 summary at NVD
- Red Hat security advisory
- NetLabel documentation

Final Thoughts

It’s amazing how an “embarrassingly simple” bug can threaten the foundations of an operating system. CVE-2019-25160 is a reminder: always check your array bounds, especially when dealing with input from the outside world. A single missing check could leave your servers, or your entire business, open to easy attack.

Patch up, and keep safe! If you’re interested in more kernel deep dives, stay tuned for posts just like this.


### Was your system affected by CVE-2019-25160? Did you need to patch an old kernel? Let us know in the comments!

Timeline

Published on: 02/26/2024 18:15:06 UTC
Last modified on: 04/17/2024 17:43:57 UTC