Linux Kernel RXRPC Unconditional Requeue Vulnerability in recvmsg Function

A vulnerability in the Linux kernel's RXRPC implementation has been addressed. The issue arose in the recvmsg function, where an unconditional requeue of messages could corrupt the reception queue. This corruption could lead to use-after-free vulnerabilities or reference count underruns. The problem occurred when RXRPC received a message with the MSG_DONTWAIT flag, but the front of the reception queue had its mutex locked. In such cases, RXRPC would requeue the message, regardless of whether it was already queued. This behavior could disrupt the queue management, especially if the MSG_PEEK flag was also used, preventing proper dequeuing. The vulnerability has been fixed by ensuring that messages are only requeued if they are not already in the queue, and by moving them to the front if they are. Additionally, the handling of MSG_PEEK has been corrected to avoid unnecessary notifications when not all data has been processed.

Impact

The vulnerability could lead to corruption of the RXRPC reception queue, causing use-after-free vulnerabilities or reference count underruns.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability.