Linux Kernel KCM Zero-Fragment SKB Vulnerability in Frag List

A vulnerability in the Linux kernel's Kernel Connection Multiplexor (KCM) module has been addressed. The issue arose when the KCM function 'kcm_write_msgs()' processed a message containing a zero-fragment socket buffer (SKB) in the fragment list. This situation occurred because, when 'kcm_sendmsg()' filled the maximum number of allowed fragments in the current SKB, it allocated a new SKB and linked it to the fragment list before the data was copied. If this data copy failed, the newly allocated SKB remained in the fragment list with no fragments, leading to a warning. This vulnerability could cause a similar issue in the Transmission Control Protocol (TCP) handling, where empty SKBs are not properly cleaned up on failure, potentially causing resource leaks or other unintended behaviors.

Impact

Exploitation of this vulnerability could lead to warnings being triggered in the kernel log, indicating a mishandling of socket buffer fragments. While this may not seem critical, such warnings can be symptomatic of deeper issues that could be exploited under certain conditions, especially in a networking context where KCM is used.

Reproduction

The vulnerability can be reproduced by sending a message through a KCM socket that fills the maximum number of fragments allowed. If the data copy process encounters an error, the newly allocated SKB will remain in the fragment list with zero fragments. This can be done using a KCM socket with the SOCK_SEQPACKET type, which automatically sets the end-of-record flag, allowing a zero-length write to complete the message and queue it for sending. This process can be automated with a simple script that replicates the behavior of the KCM socket handling.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.