Bjoern Doebel

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.1.74 Description: The vulnerability is related to a buffer overflow in the `arp req get()` function in the Linux kernel. When the `ioctl(SIOCGARP)` command is issued, the function looks up a neighbor entry and copies the `neigh->ha` value to the `struct arpreq.arp ha.sa data` buffer. However, the `arp ha` buffer is only 14 bytes long, which can lead to a buffer overflow when the `dev->addr len` is greater than 22. This can cause the `arp netmask` value to be overwritten, potentially allowing an attacker to gain elevated privileges. The vulnerability can be exploited by issuing the `ioctl(SIOCGARP)` command with a specially crafted `struct arpreq` buffer, which can lead to a buffer overflow and potentially allow an attacker to execute arbitrary code. Recommendations: To resolve the issue, update the Linux kernel to a version that includes the fix for the vulnerability. Specifically, update to a version that includes the commit `b5f0de6df6dc` ("net: dev: Convert sa data to flexible array in struct sockaddr") or later. As a temporary workaround, consider disabling the `arp req get()` function until a patch is available. However, this may have unintended consequences and should be carefully evaluated before implementation. Note: The provided information does not include details about the existence of a patch or a fixed version for all affected systems. Therefore, the recommendation to update to a newer version is based on the assumption that such a version exists and is available for the specific system in question.