Linux Kernel TCP Socket Leak Vulnerability in Error Queue Management

A vulnerability in the Linux kernel's handling of TCP sockets can lead to memory leaks and potential denial-of-service conditions. This issue arises when the 'SOF_TIMESTAMPING_TX_ACK' option is enabled on a socket, causing acknowledgment packets to be cloned and placed in the error queue. If the application uses 'MSG_ZEROCOPY', these cloned packets can keep the socket reference count elevated, preventing the socket from closing properly. When the socket is closed while the error queue still contains packets, the socket can remain alive indefinitely, consuming kernel memory and potentially freezing the host. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to excessive memory consumption, causing the system to run out of available resources and potentially freeze.

Reproduction

To reproduce this vulnerability, enable the 'SOF_TIMESTAMPING_TX_ACK' option on a TCP socket. Then, use the 'MSG_ZEROCOPY' flag to send data, which will cause cloned packets to be added to the error queue. Afterward, close the socket while the error queue is still populated with packets. The socket will remain open, keeping the reference count elevated and causing a memory leak.

Remediation

The vulnerability has been addressed by modifying the socket queue management to ensure that the error queue is properly purged before closing the socket. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.