CVE-2023-1078 - Type Confusion Flaw in Linux Kernel RDS Protocol Leads to Out of Bounds Access and Lock Corruption

Security researchers have identified a critical flaw (CVE-2023-1078) in the Linux Kernel affecting the RDS (Reliable Datagram Sockets) protocol. This vulnerability is caused by the usage of the list_entry() function on the head of a list in the rds_rm_zerocopy_callback() function, which leads to type confusion. The type confusion enables a local user to have control over a pointer that should point to a specific data structure. This vulnerability could then be exploited to cause an out-of-bounds access and a lock corruption, which may lead to denial of service or unauthorized access to sensitive data.

Code Snippet

The problematic code lies in the rds_rm_zerocopy_callback() function in the Linux Kernel, as demonstrated in the following snippet:

void rds_rm_zerocopy_callback(struct rds_sock *rs, struct rm_zcopy_cookies *cookie)
{
  struct rds_msg_zcopy_info *info;

  list_for_each_entry(info, &cookie->z_cookie_head, m_zlist) {
    list_del(&info->m_zlist);
    rds_message_put(info->m_rs);
  }
}

Exploit Details

An attacker can exploit this vulnerability by triggering the rds_message_put() function. The function rds_rm_zerocopy_callback() uses list_entry() on the head of a list, which results in type confusion. This means that struct rds_msg_zcopy_info *info pointer can be potentially controlled by the attacker, giving them the ability to trigger an out-of-bounds access and consequently a lock corruption.

The following links provide further information about the vulnerability

- Linux Kernel Mailing List - Contains the detailed discussion about the vulnerability by Linux Kernel developers.
- CVE Details - The vulnerability's official CVE entry with additional details and references.
- National Vulnerability Database - The official U.S. government repository of vulnerability information.

Mitigations and Recommendations

The developers have acknowledged the flaw and are working on an upstream patch to address it. Upon the release of the patch or updated kernel version, system administrators should update to the fixed kernel as soon as possible.

Limit the exposure of the affected systems to the internet, if possible.

- Enable proper firewall rules and intrusion detection/prevention systems (IDS/IPS) to mitigate attacks.

Conclusion

The CVE-2023-1078 vulnerability exposes a type confusion flaw in the Linux Kernel RDS protocol, allowing an attacker to trigger an out-of-bounds access and a lock corruption. The potential impact of these attacks ranges from denial of service to unauthorized access to sensitive data. Until a patch is released, organizations should implement sound security practices and closely monitor their systems for malicious behavior.

Timeline

Published on: 03/27/2023 21:15:00 UTC
Last modified on: 05/05/2023 20:15:00 UTC