LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules

Netlink is a communication mechanism between kernel and user space in Linux, introduced in 1999 with Linux 2.2, with Generic Netlink following in 2006

Two main types of Netlink exist:

• Classic Netlink (requires custom protocol ID)
• Generic Netlink (shares protocol ID 16, distinguished by family names)

Common vulnerability patterns found:

• Developers not checking payload lengths
• Missing header length validation
• Improper attribute payload validation
• Unprotected global variables
• Issues with multi-threading/process handling

38 vulnerabilities were discovered across four major vendors, resulting in 19 CVEs

Key attack vectors:

• Classic Netlink message passing attacks
• Generic Netlink attribute manipulation
• Combining Netlink with other kernel attack surfaces (file operations, sockets)
• Out-of-bounds read/write exploits

Security recommendations:

• Use Generic Netlink instead of Classic Netlink when possible
• Implement proper length and validity checks
• Understand Netlink mechanisms before implementation
• Use NLA policy for attribute validation
• Check permissions via SELinux or capability checks

Netlink messages consist of:

• Message header
• Container type
• Flags
• Sequence number
• Process port ID

Mitigation strategies:

• Proper buffer size management
• Input validation
• Permission controls
• Protected variable access