Linux Kernel Virtio VSOCK Loopback Transport Buffer Coalescing Vulnerability

A vulnerability exists in the Linux kernel's handling of buffer coalescing in the virtio VSOCK loopback transport. The issue arises when a linear socket buffer (skb) with available tail room is followed by a smaller skb, which can lead to an incorrect assumption that the smaller skb is linear. This vulnerability, introduced with MSG_ZEROCOPY support, allows data to be lost and the linear skb to be corrupted with uninitialized kernel memory. The problem has been addressed by ensuring that only linear skbs are coalesced, particularly in the loopback transport where this issue was present.

Impact

Exploitation of this vulnerability could result in the loss of data and the introduction of uninitialized memory into a linear socket buffer, potentially leading to undefined behavior or security issues.

Reproduction

The vulnerability can be reproduced by sending small, non-linear socket buffers over the VSOCK virtio loopback transport, while the MSG_ZEROCOPY flag is enabled. This will cause the linear socket buffer to be appended with uninitialized kernel memory, demonstrating the flaw in the buffer coalescing logic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.