In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE). To fix this we clear skb2->cb[], as suggested by Oskar Kjos. Also add minimal IPv4 header validation (version == 4, ihl >= 5).
The ip4ip6_err() function calls icmp_send() on a cloned packet (skb) whose cb[] field was previously populated by the IPv6 receive path with an inet6_skb_parm structure. The icmp_send() function passes the IPCB(skb2) macro to __ip_options_echo(), which interprets the same cb[] area as an inet_skb_parm structure (IPv4). Because the layouts of both structures differ, the inet6_skb_parm.nhoff field at offset 14 overlaps with inet_skb_parm.opt.rr, assigning it a non-zero value. Consequently, __ip_options_echo() reads the optlen value from the packet data controlled by the attacker (sptr[rr+1]) and copies the corresponding number of bytes to the dopt->__data buffer on the stack, which has a fixed size of 40 bytes (IP_OPTIONS_DATA_FIXED_SIZE). The fix involves zeroing skb2->cb[] before passing the packet and adding minimal IPv4 header validation (version == 4, ihl >= 5).
A remote, unauthenticated attacker can overflow a stack buffer in the Linux kernel, which may lead to arbitrary code execution in kernel space (RCE), and thus to complete system takeover, loss of confidentiality, integrity, and data availability.
Patches available from the vendor should be applied in accordance with the references — fixes have been published in the kernel.org repository at the addresses indicated in the CVE references section. It is recommended to update the kernel as soon as possible to a version containing the described patches.
Linux Kernel — specific versions indicated in the vendor references (patch commits available in the kernel.org repository)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinux Kernel
OSLinux7.05.11 – 5.15.203 (bez)5.16 – 6.1.168 (bez)6.2 – 6.6.134 (bez)2.6.22 – 5.10.253 (bez)6.13 – 6.18.22 (bez)6.19 – 6.19.12 (bez)6.7 – 6.12.81 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on t...
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-s...
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a...