| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAD04+wgk7R3PvaP3ORcpQc_NrVunyNY-NaboXWozc2FLbUW7YA@mail.gmail.com> Date: Fri, 23 Jan 2026 18:58:42 -0500 From: Richard Howe <rhowe425@...il.com> To: netdev@...r.kernel.org Subject: Fwd: iproute2 out-of-bounds read in parse_rtattr_flags() ---------- Forwarded message --------- From: Richard Howe <rhowe425@...il.com> Date: Fri, Jan 23, 2026 at 6:39 PM Subject: iproute2 out-of-bounds read in parse_rtattr_flags() To: <security@...nel.org> Good afternoon, I am reaching out to report a buffer overflow that I have uncovered in iproute2. I am attaching screenshots of ASAN and GDB output, as well as a copy of my harness that was used to discover the bug. *Description* A vulnerability exists in *iproute2* in the Netlink attribute parsing logic within libnetlink. The function parse_rtattr_flags() fails to properly validate the rta_len field of struct rtattr when processing Netlink attributes. Because rta_len is derived from untrusted input and is not sufficiently bounds-checked, a crafted attribute can cause an out-of-bounds read in userspace. *Affected Component* - Project: iproute2 - File: lib/libnetlink.c - Function: parse_rtattr_flags() *Impact* An attacker able to supply malformed Netlink attribute data can trigger an out-of-bounds memory read, leading to a denial of service (process crash) or potential information disclosure in userspace. *Attack Vector* Local. The vulnerability can be triggered by providing crafted Netlink attribute data to a userspace program that uses libnetlink for attribute parsing. *Root Cause* The parse_rtattr_flags() function trusts the rta_len field of incoming Netlink attributes without validating that: - rta_len is at least the size of struct rtattr - rta_len does not exceed the remaining buffer length This allows invalid length values to influence pointer arithmetic and loop conditions, resulting in out-of-bounds memory access. *Exploitation Details* A malformed Netlink attribute with a large or inconsistent rta_len value causes the parser to advance beyond the end of the supplied buffer. AddressSanitizer detects this condition as a global buffer overflow during parsing. *Mitigation* Validate Netlink attribute lengths prior to use by ensuring rta_len is within valid bounds relative to the remaining buffer and abort parsing on invalid values. *Suggested Fix (High Level)* Before using rta_len: - Validate rta_len >= sizeof(struct rtattr) - Validate rta_len <= remaining buffer length - Abort parsing when len becomes negative Similar checks are already present in other Netlink parsers and could be reused for consistency. Credit: Richard Howe [image: image.png][image: image.png] Content of type "text/html" skipped Download attachment "image.png" of type "image/png" (186070 bytes) Download attachment "image.png" of type "image/png" (54393 bytes) View attachment "harness.c" of type "text/x-c-code" (2452 bytes) Download attachment "id:000000,sig:06,src:000043+000037,time:326275610,execs:67991712,op:splice,rep:64" of type "application/octet-stream" (32766 bytes)
Powered by blists - more mailing lists