CVE-2023-54056

The vulnerability lies in the Linux kernel's kheaders module, which exposes kernel headers as a compressed tar archive via /sys/kernel/kheaders.tar.xz. The global variable kernel_headers_data was declared as a single char instead of a proper byte array, causing the FORTIFY_SOURCE protection mechanism to misinterpret the intended array size when memcpy() operations are performed on it.

To exploit this, a user with local access can simply read the sysfs file /sys/kernel/kheaders.tar.xz. When the kernel's ikheaders_read function copies the kernel headers data, the FORTIFY_SOURCE check sees the destination as a one-byte buffer and triggers a false positive buffer overflow detection, leading to a kernel panic.

The impact is a local denial of service. An unprivileged local user can trigger a kernel BUG (machine check exception) and crash the system by issuing a simple cat command on the exposed sysfs file. This does not require any special capabilities beyond the ability to read the sysfs node.

The fix changes the declaration of kernel_headers_data to an array (e.g., extern char kernel_headers_data[]), which correctly conveys the object's length to FORTIFY_SOURCE checks. Patched versions are available in the stable kernel trees; users should apply the corresponding commit for their kernel version [1][2][3].