Linux Kernel RDS over IB Connection Handling Vulnerability Allows Kernel Crash

A vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) implementation over InfiniBand (IB) has been identified. The issue arises in the memory registration process for a fresh outgoing connection, where the connection object is not fully established. Specifically, the connection worker has not yet created the necessary RDMA connection identifier. When the 'sendmsg' function is called with the RDS control message for RDMA mapping, the system attempts to access a part of the connection that is not yet ready, leading to a null pointer dereference and a kernel crash. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a null pointer dereference, leading to a kernel crash.

Reproduction

To reproduce this vulnerability, initiate a fresh outgoing RDS connection over InfiniBand. Before the connection worker has established the necessary RDMA connection identifier, send a message using 'sendmsg' with the RDS control message for RDMA mapping. This will trigger the vulnerability by causing the system to attempt to access an uninitialized part of the connection, resulting in a kernel crash.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.