Linux Kernel Handshake Cancellation Vulnerability Leads to Socket Leak

A vulnerability in the Linux kernel's handling of handshake requests can cause a socket leak. When a handshake request is cancelled, it is removed from the 'hn_requests' list but remains in the 'rhashtbl' until it is destroyed. If a second cancellation request for the same handshake arrives, it can lead to a reference count underflow. This issue can occur if a handshake times out, particularly in scenarios involving the SUNRPC client and AUTH_TLS probes.

Impact

The vulnerability causes a reference count underflow, which can lead to memory management issues and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, initiate a handshake request and then cancel it. A second cancellation request for the same handshake will trigger the vulnerability, as the request is still present in the handshake_rhashtbl. This can be done by allowing the handshake to timeout, causing the server to send a FIN, which triggers a cancellation request. If the client also times out and sends another cancellation request, the reference count underflow will occur.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.