Linux Kernel Virtio VSOCK TX Credit Buffer Size Vulnerability

A vulnerability in the Linux kernel's virtio VSOCK implementation allows a guest to manipulate transmission credit, leading to excessive memory allocation on the host. This issue arises because the VSOCK transmission credit is derived from a buffer size value set by the remote endpoint, rather than the host's own configuration. A malicious guest can advertise a large buffer and read data slowly, causing the host to allocate a significant amount of memory. The vulnerability can also occur in the guest with a malicious host, as they share the same code base. The issue has been addressed by introducing a helper function that caps the transmission credit to the smaller of the peer's advertised buffer and the host's buffer allocation, ensuring that a remote peer cannot force the host to queue more data than its own settings allow.

Impact

Exploitation of this vulnerability could lead to a denial-of-service condition on the host, causing it to run out of memory and potentially become unresponsive. However, if memory limits are enforced using control groups, the maximum memory usage can be capped.

Reproduction

On an unpatched Ubuntu 22.04 host with approximately 64 GiB of RAM, create a proof-of-concept that establishes 32 guest VSOCK connections, each advertising a buffer size of 2 GiB. Have the guest read data slowly, which will cause the host to allocate a large amount of sk_buff memory. Monitor the memory usage, which will show a significant increase in the Slab/SUnreclaim memory, indicating that the host has run out of memory and become unresponsive.

Remediation

Users should update to the patched version of the Linux kernel where this vulnerability has been addressed.