A recently disclosed vulnerability in the Linux kernel has been resolved, which impacts the openvswitch module while fragmenting IPv4 packets. This article provides a detailed explanation of the vulnerability, along with code snippets and links to original references.
Vulnerability Details
The vulnerability exists in the openvswitch module of the Linux kernel and could potentially lead to a stack out-of-bounds (OOB) read issue while fragmenting IPv4 packets. The issue could be observed when running openvswitch on kernels built with Kernel Address Sanitizer (KASAN).
When tested for fragmentation of IPv4 packets, KASAN reported the following error
BUG: KASAN: stack-out-of-bounds in ip_do_fragment+x1b03/x1f60
The issue lies in the ovs_fragment() function, which uses a temporary struct dst_entry. The pointer to the struct dst_entry is then used as a pointer to struct rtable, resulting in an OOB read in the stack.
To fix the issue, the code has been modified to change the temporary variable used for IPv4 packets in ovs_fragment() function, similar to how it is done for IPv6 packets a few lines below.
Below is the call graph that demonstrates the issue
ip_do_fragment()
ip_skb_dst_mtu()
ip_dst_mtu_maybe_forward()
ip_mtu_locked()
Original References
The discovery and resolution of this vulnerability can be found in the official Linux kernel source tree commit here.
Exploit
While there isn't a known direct exploit of this vulnerability, it is essential to patch the Linux kernel to stay protected from potential attacks that could cause unintended behavior, crashes, or information leaks.
Conclusion
CVE-2021-46955 is a noteworthy vulnerability that has been resolved in the Linux kernel. Users are advised to update their kernel to the latest version to prevent potential issues due to this vulnerability.
Timeline
Published on: 02/27/2024 19:04:06 UTC
Last modified on: 02/28/2024 14:06:45 UTC