In the Linux kernel, the following vulnerability has been resolved:
ipv6: sr: fix out-of-bounds read when setting HMAC data.
The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
Segment Routing Headers. This configuration is realised via netlink through
four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
length of the SECRET attribute, it is possible to provide invalid combinations
(e.g., secret "", secretlen 64). This case is not checked in the code and
with an appropriately crafted netlink message, an out-of-bounds read of up
to 64 bytes (max secret length) can occur past the skb end pointer and into
skb_shared_info:
Breakpoint 1, seg6_genl_sethmac (skb<optimized out>, info<optimized out>) at net/ipv6/seg6.c:208
208 memcpy(hinfo->secret, secret, slen);
(gdb) bt
#0 seg6_genl_sethmac (skb<optimized out>, info<optimized out>) at net/ipv6/seg6.c:208
#1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skbskb@entry0xffff88800b1f9f00, nlhnlh@entry0xffff88800b1b7600,
extackextack@entry0xffffc90000ba7af0, opsops@entry0xffffc90000ba7a80, hdrlen4, net0xffffffff84237580 <init_net>, family<optimized out>,
family<optimized out>) at net/netlink/genetlink.c:731
#2 0xffffffff81e01435 in genl_family_rcv_msg (extack0xffffc90000ba7af0, nlh0xffff88800b1b7600, skb0xffff88800b1f9f00,
family0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
#3 genl_rcv_msg (skb0xffff88800b1f9f00, nlh0xffff88800b1b7600, extack0xffffc90000ba7af0) at net/netlink/genetlink.c:792
#4 0xffffffff81dfffc3 in netlink_rcv_skb (skbskb@entry0xffff88800b1f9f00, cbcb@entry0xffffffff81e01350 <genl_rcv_msg>)
at net/netlink/af_netlink.c:2501
#5 0xffffffff81e00919 in genl_rcv (skb0xffff88800b1f9f00) at net/netlink/genetlink.c:803
#6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk0xffff888010eec800, skb0xffff88800b1f9f00, sk0xffff888004aed000)
at net/netlink/af_netlink.c:1319
#7 netlink_unicast (sskssk@entry0xffff888010eec800, skbskb@entry0xffff88800b1f9f00, portidportid@entry0, nonblock<optimized out>)
at net/netlink/af_netlink.c:1345
#8 0xffffffff81dff9a4 in netlink_sendmsg (sock<optimized out>, msg0xffffc90000ba7e48, len<optimized out>) at net/netlink/af_netlink.c:1921
...
(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
$1 0xffff88800b1b76c0
(gdb) p/x secret
$2 0xffff88800b1b76c0
(gdb) p slen
$3 64 '@'
The OOB data can then be read back from userspace by dumping HMAC state. This
commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
SECRET.
Publication date: Fri, 03 May 2024 20:15:00 +0000