Linux Kernel SMC General Protection Fault Vulnerability

A vulnerability in the Linux kernel's Socket Memory Copy (SMC) implementation has been identified, leading to a general protection fault. This issue arises in the SMC diagnostic message handling, where a non-canonical address is accessed, causing a crash. The vulnerability is related to the improper management of socket flags, specifically the INET_PROTOSW_ICSK flag, which is unnecessary for SMC and can lead to memory access errors. The problem was reported by syzbot, indicating a potential wild memory access issue.

Impact

Exploitation of this vulnerability causes a general protection fault, likely due to accessing invalid memory addresses, which can lead to crashes or undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by creating an SMC socket and initiating a diagnostic dump via netlink. The process involves allocating a socket, initializing it with the IPPROTO_SMC protocol, and then traversing the socket hash table to perform the diagnostic dump. This sequence of actions, particularly with the CONFIG_DEBUG_LOCK_ALLOC option enabled, triggers the fault by accessing a corrupted socket state.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.