Linux Kernel KCM Socket Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's KCM (Kernel Connection Multiplexor) sockets. The issue arises because the KCM socket's receive path uses a specific lock to protect its operations, but the corresponding message reception function only applies the lock for the socket's skb (socket buffer) queue. This discrepancy creates a window for race conditions. While it's possible to modify the reception function to include the missing lock, doing so could negatively impact performance, as the lock can be shared among multiple KCM sockets. The vulnerability can be addressed by adjusting the message reception process to properly manage the locks, ensuring that the skb queue is adequately protected without introducing performance penalties.

Impact

Exploitation of this vulnerability can lead to race conditions in KCM sockets, potentially causing unexpected behavior in data transmission or processing.

Reproduction

The vulnerability can be reproduced by creating a KCM socket and initiating data reception while manipulating the locks involved. This can be done using a tool like syzbot, which can automate the process of sending data to the socket and triggering the race condition.