Linux Kernel UDP Socket Address Change Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's UDP implementation. This issue arises when a UDP socket changes its local address while receiving datagrams, due to a connect() call. There is a brief period during which a lookup operation may fail to locate the socket, after the address change but before the secondary hash and four-tuple hash are updated. This vulnerability affects several Linux kernel versions.

Impact

Exploitation of this vulnerability leads to a 'port unreachable' error being sent to the client, causing a disruption in UDP communication. This issue was observed to interfere with Podman's UDP functionality tests, indicating a potential impact in containerized environments.

Reproduction

The vulnerability can be reproduced using socat. Start a socat server in UDP4-LISTEN mode on a specified port. While the server is receiving datagrams, initiate a connect() to the address of the sender. If a subsequent datagram is sent from a different CPU thread before the server's socket is rehashed, the lookup will fail, and the client will receive a 'Connection refused' error. This can be automated with a script that sends datagrams while the server's socket is still updating.