Linux Kernel vsock Transport TOCTOU Race Condition Vulnerability

A time-of-check to time-of-use (TOCTOU) race condition vulnerability has been identified in the Linux kernel's virtual socket (vsock) implementation. This issue arises in the 'vsock_find_cid()' and 'vsock_dev_do_ioctl()' functions, which can race with module unload operations. The vulnerability occurs because the transport callbacks 'g2h' and 'h2g' can become NULL after a NULL check, potentially leading to a null pointer dereference. The issue has been addressed by introducing the 'vsock_transport_local_cid()' function, which safely accesses the transport callbacks and prevents the null pointer dereference.

Impact

Exploitation of this vulnerability can lead to a null pointer dereference, causing a crash or undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by creating a scenario where the vsock module is unloaded while simultaneously invoking the 'vsock_find_cid()' or 'vsock_dev_do_ioctl()' functions. This can be done by rapidly alternating between unloading the vsock module and calling these functions, which will create a race condition that causes the transport callbacks to become NULL after being checked, leading to a null pointer dereference.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.