Linux Kernel DCCP Data-Race Vulnerability in MSS Cache Management

A data-race vulnerability has been identified in the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation. This issue arises because the function 'dccp_sendmsg()' accesses the 'dccps_mss_cache' variable before the socket is locked, creating a potential race condition. A similar problem exists in the 'do_dccp_getsockopt()' function. The vulnerability affects the Linux kernel stable tree and has been addressed by adding 'READ_ONCE()' and 'WRITE_ONCE()' annotations to the relevant code. The 'dccp_sendmsg()' function has also been modified to recheck the 'dccps_mss_cache' after the socket is locked, ensuring proper synchronization.

Impact

The vulnerability could lead to a data-race condition, where concurrent operations could interfere with each other, potentially causing unexpected behavior in the DCCP implementation.

Reproduction

The vulnerability can be reproduced by invoking the 'dccp_sendmsg()' function or the 'do_dccp_getsockopt()' function in a scenario where the socket is not locked, allowing for a data-race condition to occur. This can be achieved by sending DCCP messages or socket options that trigger these functions before the socket is properly synchronized.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.