Linux Kernel UDP Socket Integer Overflow Vulnerability Allowing Memory Flooding

A vulnerability in the Linux kernel's UDP implementation allows for integer overflow in socket memory management. The issue arises because the socket's receive buffer size can be manipulated to bypass boundary checks, leading to multiple wraparounds of the memory allocation counter. This flaw enables a single socket to accumulate an excessive amount of data, potentially overwhelming the system's memory management. The vulnerability was introduced by a previous commit that relaxed the atomic operations governing memory allocation for UDP sockets.

Impact

Exploitation of this vulnerability causes integer overflow in the socket's memory allocation counter, allowing for excessive memory consumption that could disrupt normal system operations.

Reproduction

The vulnerability can be reproduced by setting the socket's receive buffer size to INT_MAX, which disables the boundary check. Once this is done, flooding the socket with packets causes the memory allocation counter to overflow multiple times. This can be verified by checking the socket's memory statistics, which will show an abnormal memory usage that exceeds the allowed limits.