Linux Kernel Smack DOI Value Handling Vulnerability Disables Networking for Non-Ambient Labels

A vulnerability in the Linux kernel's handling of Smack DOI values has been identified. Writing a DOI value to the /smack/doi file that has been used previously disables networking for non-ambient labels. This issue arises because the Smack security module retains decommissioned DOI values, fails to reintroduce them, and consequently does not add the default domain map, leading to networking disruptions.

Impact

This vulnerability causes a denial of service by disrupting networking for non-ambient Smack labels, which can lead to communication failures in applications or services relying on those labels.

Reproduction

The vulnerability can be reproduced by writing a DOI value to the /smack/doi file. If the value has been used before, it will disable networking for non-ambient labels. This can be verified by checking the NetLabel domain mappings, which will show that the default domain map for IPv4 is missing, indicating the disruption has occurred.

Remediation

The vulnerability has been addressed in a commit that clears decommissioned DOI definitions and synchronizes concurrent DOI updates with a new lock. Users can apply this update by upgrading to the latest version of the Linux kernel.