Linux Kernel Open vSwitch Port Output Race Condition Vulnerability Leading to Denial-of-Service

A race condition vulnerability has been identified in the Linux kernel's Open vSwitch (OVS) implementation, specifically within the port output handling. This vulnerability can cause a CPU to become stuck in an infinite loop, leading to a denial-of-service condition. The issue arises when a network namespace is deleted while parallel requests are being sent to an HTTP server, creating a low-probability but exploitable scenario.

Impact

Exploitation of this vulnerability can cause a CPU to become stuck in an infinite loop, disrupting normal processing and potentially leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, set up an Open vSwitch instance with one bridge and default flows. Create two network namespaces named 'server' and 'client', and add OVS interfaces on the bridge for each namespace. Connect each interface to a veth pair with 32 RX and TX queues, move the veth ends to the respective namespaces, and assign IP addresses on the same subnet. Start an HTTP server in the 'server' namespace. Then, send approximately 3000 parallel requests to the server while simultaneously deleting the 'server' network namespace. This can cause the kernel to log a 'soft lockup' message, indicating that a CPU has been stuck for an extended period.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.