Linux Kernel RxRPC Call Reference Management Vulnerability Leading to Kernel Crash

A vulnerability in the Linux kernel's RxRPC implementation can cause a kernel crash by mishandling to-client packets. The issue arises when a client call on a channel is terminated, leaving no call reference to manage. The error handling process incorrectly drops a call reference, which should only be done if one was actually acquired. This flaw transforms a protocol error into a crash, disrupting normal operations.

Impact

Exploiting this vulnerability causes a kernel crash, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by sending a to-client packet on a channel where the current client call has already been terminated. This can be done by initiating a client call, allowing it to complete, and then sending a packet that references the now-nonexistent call. The packet will be processed by the RxRPC input function, which will attempt to drop the call reference, leading to a crash.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.