An out-of-bounds access within the Linux kernel has existed in mainline the past three years that could be exploited by an unprivileged user submitting a specially crafted certificate to the kernel.
Among the last minute patches working their way into the mainline Git tree ahead of today’s expected Linux 7.0 stable kernel release is for fixing an out-of-bounds access scenario within the X.509 certificate code. Unprivilged users could submit a specially crafted certificate to the kernel via the kernel’s keyrings API to cause the OOB access. Making matters worse is that this has existed in the mainline kernel since 2023 in the Linux 6.4 kernel. So beyond this patch making it just in time for the Linux 7.0 kernel release, it’s also marked for back-porting to all stable kernel versions still supported since Linux 6.4 (6.6 LTS, 6.12 LTS, 6.18 LTS, and 6.19).
With an out-of-bounds kernel access it can lead to possible privilege escalation, information leaks/disclosure, arbitrary code execution, kernel panics, or other possibilities depending upon the exact details. OOB access issues are particularly problematic when they can be triggered by unprivileged users. In this case the information leak would be minimal but still the possibility of a kernel crash or denial of service.
Lukas Wunner who authored the fix with some additional conditional checks, explained in the patch message:
“[Leo Lin] reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a specially crafted certificate to the kernel through the keyrings(7) API. Leo has demonstrated this with a proof-of-concept program responsibly disclosed off-list.”
