Linux Kernel AF_UNIX Garbage Collection Vulnerability in Socket Management

A vulnerability in the Linux kernel's AF_UNIX socket management can lead to improper garbage collection of active sockets. This issue arises because the socket management system fails to correctly track the state of sockets, allowing the garbage collector to mistakenly clean up sockets that are still in use. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can cause sockets to be incorrectly garbage-collected, potentially leading to use-after-free conditions or other memory management issues.

Reproduction

The vulnerability can be reproduced in three stages: 1) Create a cyclic reference with multiple sockets, close all sockets, and trigger garbage collection. 2) Pass one socket (sk-A) to an embryo socket (sk-B), create a self-reference with another socket (sk-X), and trigger garbage collection again. 3) Accept the embryo socket (sk-B), pass it to a third socket (sk-C), close the in-flight socket (sk-A), and trigger garbage collection once more. This sequence causes the socket management system to misjudge the state of the sockets, leading to improper garbage collection.

Remediation

The vulnerability has been addressed by modifying the socket management code to properly initialize and track the state of sockets, ensuring that the garbage collector does not mistakenly clean up active sockets.