Linux Kernel Fore200e Driver Data Race Vulnerability in Bandwidth Accounting

A data race vulnerability has been identified in the Linux kernel's ATM fore200e driver, specifically in the fore200e_open() function. This vulnerability arises from improper handling of the available_cell_rate variable, which tracks bandwidth and is accessed concurrently by multiple functions. The issue occurs when fore200e_open() reserves bandwidth by updating available_cell_rate without holding the necessary lock. If an error occurs and the function attempts to restore the bandwidth while another process is modifying the same variable, it can lead to incorrect bandwidth calculations. This vulnerability affects the Linux kernel stable group.

Impact

Exploitation of this vulnerability causes a read-modify-write race condition, leading to incorrect bandwidth accounting. The error path in fore200e_open() can overwrite concurrent updates with stale values, disrupting the management of available bandwidth across virtual circuit connections.

Reproduction

To reproduce this vulnerability, open multiple virtual circuit connections using the fore200e driver. While one connection is being opened and the fore200e_open() function is updating the available_cell_rate, induce an error that triggers the function to restore the bandwidth without the proper lock. This can be done by simulating a failure in the fore200e_activate_vcin() call, causing the function to revert the bandwidth reservation. The lack of synchronization can then be observed as the error path interferes with ongoing operations on other virtual circuits, such as closing connections or changing quality of service settings.

Remediation

The vulnerability has been addressed by modifying the fore200e_open() function to ensure that the rate_mtx lock is applied during the entire bandwidth reservation process, including error handling. Users should update to the latest version of the Linux kernel where this fix has been implemented.