Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response() Call Trace: dump_stack_lvl() [lib/dump_stack.c:123] print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482] kasan_report() [mm/kasan/report.c:597] rxgk_verify_response() [net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Allocated by task 54: rxgk_verify_response() [include/linux/slab.h:954 net/rxrpc/rxgk.c:1155 net/rxrpc/rxgk.c:1274] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] Convert the byte count to __be32 units before constructing the parser limit.
Product status
9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a (git) before 7875f3d9777bd4e9892c4db830571ab8ac2044c0
9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a (git) before 20a188775a9a9982d1987e12660d9b44b40a6c99
9d1d2b59341f58126a69b51f9f5f8ccb9f12e54a (git) before 3e3138007887504ee9206d0bfb5acb062c600025
6.16
Any version before 6.16
6.18.23 (semver)
6.19.13 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/7875f3d9777bd4e9892c4db830571ab8ac2044c0
git.kernel.org/...c/20a188775a9a9982d1987e12660d9b44b40a6c99
git.kernel.org/...c/3e3138007887504ee9206d0bfb5acb062c600025