Linux Kernel SO_REUSEPORT Restriction Vulnerability in Crypto Sockets

A vulnerability in the Linux kernel's handling of the SO_REUSEPORT socket option has been addressed. The issue allowed crypto sockets to be inadvertently destroyed by a Read-Copy-Update (RCU) callback, as identified by the automated testing tool 'zyzbot'. This problem arose because acquiring a mutex within an RCU callback is prohibited. The vulnerability has been resolved by limiting the SO_REUSEPORT option to Internet sockets only. The initial patch version supported TCP, UDP, and SCTP sockets, but the functional test script required support for RAW and ICMP.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, where a socket is prematurely destroyed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a crypto socket and enabling the SO_REUSEPORT option. Then, trigger an RCU callback while attempting to acquire a mutex, which will cause the socket to be incorrectly destroyed. This can be automated with a script that simulates the necessary conditions, such as 'fcnal-test.sh' with added support for RAW and ICMP.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.