Linux Kernel Netlink Infinite Retry Loop Vulnerability

A vulnerability in the Linux kernel's netlink implementation can cause an infinite retry loop in the 'netlink_unicast()' function. This issue arises because the 'netlink_attachskb()' function does not properly handle the socket's read memory allocation constraints. Specifically, the checks fail to account for the scenario where the true size of a socket buffer, combined with the allocated memory, equals the socket's receive buffer limit. As a result, the function gets stuck in a retry loop, leading to a noticeable performance stall, which is reported as a 'self-detected RCU stall' on the affected CPU.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the system experiences a significant performance degradation due to the stalled process.

Reproduction

The vulnerability can be reproduced by sending netlink messages that exceed the socket's receive buffer capacity, causing the 'netlink_attachskb()' function to enter a retry loop. This can be done by using a tool or script that generates a high volume of netlink messages, particularly those that require substantial processing or data transfer, such as audit-related messages. The 'kauditd' thread, which handles audit events, can be targeted to trigger this issue. Monitor the system for RCU stall warnings, which indicate that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.