Linux Kernel RXRPC Socket Queue Race Condition Vulnerability

A race condition vulnerability has been identified in the RXRPC implementation of the Linux kernel, specifically within the socket queue management of completed calls. This issue arises when a call receives an event, such as incoming data, and is placed on the socket's queue. A thread handling the reception can be interrupted and requeued, allowing a second thread to process the same call simultaneously. This can lead to inconsistencies, where one thread may see a call terminate and release it, while another thread, still processing the call, encounters a kernel bug due to the call's state change. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a kernel panic, with the system crashing and displaying a 'kernel BUG' message related to the RXRPC reception handling.

Reproduction

To reproduce this vulnerability, initiate an RXRPC call and ensure that it receives an event while a thread is processing it. This can be done by simulating incoming data that triggers the reception thread. Once the first thread is handling the call, introduce a second thread that also attempts to process the same call from the socket queue. This will create a race condition where both threads interact with the call simultaneously, leading to the vulnerability's impact.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.