Linux Kernel Hardened Usercopy Panic Vulnerability in Socket Error Queue Handling

A vulnerability in the Linux kernel's handling of socket error queues can lead to a panic due to a hardened usercopy violation. This issue arises in versions of the kernel where CONFIG_HARDENED_USERCOPY is enabled. The problem originates from the skbuff_fclone_cache, which was created without a defined usercopy region, unlike the skbuff_head_cache that properly whitelists the control buffer field. When the kernel attempts to copy sk_buff.cb data to userspace via the sock_recv_errqueue function, it triggers a usercopy BUG() because the cache lacks the necessary whitelist. The crash occurs under specific conditions when TCP allocates a socket buffer (skb) from the flawed cache, clones it, and queues it for error reporting. When userspace reads the error queue, the missing usercopy definition leads to a violation, exposing kernel memory and causing a crash.

Impact

Exploitation of this vulnerability causes a kernel panic due to a usercopy hardening violation, which is a critical failure in the kernel's memory management and safety mechanisms.

Reproduction

To reproduce this vulnerability, enable CONFIG_HARDENED_USERCOPY in the Linux kernel. Then, allocate a socket buffer using the alloc_skb_fclone function, which retrieves the buffer from the skbuff_fclone_cache that lacks a usercopy whitelist. Clone this buffer using skb_clone, queue it to the sk_error_queue for timestamp reporting, and finally, have userspace read the error queue using recvmsg with the MSG_ERRQUEUE flag. This sequence will trigger the usercopy hardening violation and cause a kernel panic.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. The official Linux kernel Git repository contains the patched version.