Linux Kernel af_unix Data-Race Vulnerability in unix_inflight Management

A data-race vulnerability has been identified in the Linux kernel's af_unix implementation, specifically in how the unix_inflight variable is managed. The issue arises because unix_inflight is updated under a lock, while the too_many_unix_fds function reads it without synchronization. This vulnerability was reported by the Kernel Concurrency Sanitizer and involves concurrent write and read operations on unix_inflight, leading to inconsistent states.

Impact

Exploitation of this vulnerability can cause data corruption by allowing unsynchronized access to the unix_inflight variable, which tracks the number of file descriptors in use. This could potentially disrupt the normal operation of applications relying on Unix domain sockets, by misrepresenting the number of active file descriptors and possibly leading to resource management issues.

Reproduction

The vulnerability can be reproduced by sending Unix domain socket messages that trigger the unix_attach_fds function, which increments the unix_inflight counter. Simultaneously, the too_many_unix_fds function can be called to read the unix_inflight value without the proper synchronization, creating a data-race condition. This sequence can be automated with a script that uses the Unix domain socket API to send messages while concurrently checking the file descriptor limits.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.