Linux Kernel BPF Sockmap Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's BPF sockmap implementation. The issue arises when the 'skb_linearize' function is called on a socket buffer (skb) that has been aggregated by the strparser module. This aggregation can exceed the maximum allowed message fragments, triggering a kernel panic. The vulnerability is caused by a race condition between skb operations in the backlog and skb release in the recvmsg path, which a recent commit attempted to address but inadvertently introduced the panic.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by executing a benchmark command that targets the sockmap with specific parameters. This command will force the receive path to use the strparser module, aggregating data until it exceeds the maximum allowed message fragments, before applying sockmap logic. The 'skb_linearize' function will then be called, causing the kernel panic.

Remediation

Users can apply the latest patches available in the Linux kernel repository to address this vulnerability.