A relatively trivial heap overflow in the Transparent Inter-Process Communication (TIPC) module of the kernel. The crypto_key_rcv function in the driver takes a received packet and parses it for key data. The packet contains a name, a key length, then an auxiliary data buffer containing the key itself. The problem is that keylen isn’t validated against the overall message size until after the keylen is used to memcpy the key into the newly allocated buffer for it.

This bug comes with some blessings when it comes to exploitation. Where an attacker has influence over the size of the allocation via the message size, they can influence what kmalloc cache to cause an overflow in. An attacker also has control over the overflowed data that gets written, because while the allocated size uses the given message size, the message size is only validated to be in-bounds of the received packet. By sending a large packet with a smaller message size, the data that gets written out of bounds can be setup.