Linux Kernel af_unix Data-Race Vulnerability Allowing Lockless Reads of unix_tot_inflight

A data-race vulnerability has been identified in the Linux kernel's af_unix component. The issue arises because the unix_tot_inflight counter is modified under the protection of a spin lock, while the unix_release_sock function accesses it without any locking mechanism. This vulnerability affects the Linux kernel stable tree, specifically in versions prior to the latest commit that addresses this issue. The root cause is the improper synchronization of the unix_tot_inflight counter, which can lead to inconsistent data being read by processes.

Impact

The vulnerability can cause a data-race condition, where concurrent processes may read inconsistent or incorrect values of the unix_tot_inflight counter, potentially leading to improper socket management and resource handling in Unix domain sockets.

Reproduction

The vulnerability can be reproduced by sending messages over a Unix domain socket using the Datagram protocol. This can be done by creating a socket with the AF_UNIX address family and the SOCK_DGRAM socket type, then sending messages through the socket. The data-race condition will be triggered because the unix_release_sock function will read the unix_tot_inflight counter without proper synchronization, while the counter may be concurrently modified by other operations that manage the inflight data.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed by modifying the unix_release_sock function to use READ_ONCE() when accessing the unix_tot_inflight counter. This change ensures that the counter is read with proper synchronization, preventing lockless access and eliminating the data-race condition.