Linux Kernel Refcount Underflow Vulnerability in XSK Component

A refcount underflow vulnerability has been identified in the Linux kernel's XSK (eXpress Data Path sockets) component. This issue arises when the system runs out of memory, causing the function responsible for allocating transmission descriptors to fail. In the error handling path, the reference count of the memory pool is decremented, but the socket's reference to the pool is not cleared. As a result, when the socket is later closed, the teardown process mistakenly believes a pool is still attached and attempts to decrement the reference count again, leading to an underflow.

Impact

Exploitation of this vulnerability causes a reference count underflow, which can potentially lead to memory corruption or a use-after-free condition.

Reproduction

To reproduce this vulnerability, create multiple XSK sockets on a system with limited memory. When the memory allocation for the transmission descriptors fails, the vulnerability is triggered. The reference count underflow occurs because the pool reference in the socket is not properly cleared before the socket is closed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.