VU#980487: Local privilege escalation in Linux Kernel (Dirty Frag)
The "Dirty Frag" vulnerability affects Linux kernel versions 4.10 and later, stemming from flawed handling of fragmented IPv4/IPv6 packets. It allows an attacker to manipulate fragment offsets, leading to memory corruption during reassembly. This vulnerability is a combination of two previously known ones, specifically related to xfrm-ESP and RxRPC page-cache writes. Successful exploitation can trigger a denial of service or, potentially, privilege escalation. The root cause lies in the kernel's insufficient validation of fragment metadata during the reassembly process, allowing for malformed sequences. The impact includes kernel panics, memory corruption, and container escapes. Immediate mitigation involves updating the Linux distribution's kernel package with patches. Workarounds include disabling the vulnerable modules (esp4, esp6, and rxrpc) or blacklisting them during boot. For containerized environments, additional mitigation strategies include seccomp filtering, AppArmor policies, and eBPF-based enforcement. The vulnerability was discovered and disclosed by Hyunwoo Kim, and the documentation was written by Bob Kemerer.