Linux Kernel vsock/virtio Transport Mismatch Accept Queue Count Leak Vulnerability

A vulnerability in the Linux kernel's vsock/virtio implementation can lead to a connection acceptance queue count leak when there is a transport mismatch. The issue arises in the 'virtio_transport_recv_listen()' function, which calls 'sk_acceptq_added()' before assigning the transport with 'vsock_assign_transport()'. If 'vsock_assign_transport()' fails or selects a different transport, the function exits without removing the acceptance queue increment, causing a permanent backlog increase. After several such failures, the acceptance queue becomes full, and the listener starts rejecting new connections. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability causes a denial of service by making the connection listener reject all new connections after a certain number of transport assignment failures.

Reproduction

To reproduce this vulnerability, initiate a connection using the vsock/virtio transport. If the 'vsock_assign_transport()' function fails or selects a different transport, the 'virtio_transport_recv_listen()' function will return an error without removing the acceptance queue increment. After approximately 'backlog+1' such failures, the acceptance queue will be full, and the listener will reject all new connections.

Remediation

The vulnerability has been fixed by moving the 'sk_acceptq_added()' call to after the transport validation, aligning it with the patterns used by 'vmci_transport' and 'hyperv_transport'. Users should update to the latest version of the Linux kernel stable tree where this fix has been applied.