Linux Kernel af_unix Component Data Race Vulnerability Allowing Improper Socket Shutdown Handling

A data race vulnerability has been identified in the Linux kernel's af_unix component, specifically in the handling of socket shutdown states. The issue arises because the functions unix_release_sock() and unix_shutdown() modify the shutdown state while holding a lock, whereas unix_poll() and unix_dgram_poll() access it without a lock, leading to potential inconsistencies. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can lead to improper management of socket shutdown states, potentially causing applications to misinterpret the readiness of sockets for reading or writing, especially in scenarios involving datagram sockets and event polling.

Reproduction

The vulnerability can be reproduced by using the Kernel Concurrency Sanitizer (KCSAN) to detect the data race. This can be done by running a Linux kernel version that is vulnerable to this issue, with KCSAN enabled, and performing operations that involve polling Unix domain sockets while simultaneously shutting them down or releasing them. The KCSAN tool will report the data race, indicating that one thread is reading the shutdown state of a socket while another thread is writing to it, without proper synchronization.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux kernel stable tree.