Linux Kernel Data-Race Vulnerability in UDP Handling

A data-race vulnerability has been identified in the Linux kernel's UDP handling within the IPv6 protocol. This issue arises because the UDP sendmsg function operates without locks, allowing one thread to read the sk->sk_bound_dev_if field while another thread may be modifying it. The vulnerability has been addressed by adding minimal annotations to prevent data-race warnings from the Kernel Concurrency Sanitizer. The data race was reported during the execution of a fuzzing tool, which highlighted the concurrent access issue.

Impact

Exploitation of this vulnerability leads to a data race condition, where two threads access shared data simultaneously, potentially causing inconsistent or unexpected behavior in the application.

Reproduction

The vulnerability can be reproduced by using a fuzzing tool, such as syzkaller, which sends UDP packets over IPv6. This process creates a race condition by concurrently modifying and reading the sk->sk_bound_dev_if field, triggering the data-race vulnerability.