Linux Kernel BPF Unhashed Socket Handling Vulnerability

A vulnerability in the Linux kernel's handling of sockets within the Berkeley Packet Filter (BPF) has been addressed. The issue arose because unhashed UDP sockets could be assigned to a BPF socket map, leading to a reference count leak. This leak occurred when the socket was pulled from the map and assigned via the BPF helper 'bpf_sk_assign', which did not properly account for the socket's state. The vulnerability was introduced when BPF was allowed to access unhashed UDP sockets, but the 'bpf_sk_assign' helper was not updated to handle this scenario, causing a mismatch in socket state management.

Impact

Exploitation of this vulnerability could lead to a reference count leak, where the kernel's internal accounting of socket references is improperly managed. This type of leak can potentially be exploited to cause a denial of service by exhausting system resources or, in some cases, leading to more severe consequences such as arbitrary code execution.

Reproduction

To reproduce this vulnerability, first create an unhashed UDP socket and add it to a BPF socket map. Then, pull the socket out of the map and assign it using 'bpf_sk_assign'. Afterward, bind or connect the socket, which will set the 'SOCK_RCU_FREE' flag. Finally, when the socket is processed by the TCPv4 receive path, the reference count will not be properly decremented, leading to a leak.

Remediation

The vulnerability has been fixed by updating the 'bpf_sk_assign' function to reject unhashed sockets, ensuring that socket state is correctly managed before assignment.