CVE-2022-48909 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

net/smc: fix connection leak

There's a potential leak issue under following execution sequence :

smc_release smc_connect_work if (sk->sk_state == SMC_INIT) send_clc_confirim tcp_abort(); ... sk.sk_state = SMC_ACTIVE smc_close_active switch(sk->sk_state) {
... case SMC_ACTIVE: smc_close_final() // then wait peer closed

Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are still in the tcp send buffer, in which case our connection token cannot be delivered to the server side, which means that we cannot get a passive close message at all. Therefore, it is impossible for the to be disconnected at all.

This patch tries a very simple way to avoid this issue, once the state has changed to SMC_ACTIVE after tcp_abort(), we can actively abort the smc connection, considering that the state is SMC_INIT before tcp_abort(), abandoning the complete disconnection process should not cause too much problem.

In fact, this problem may exist as long as the CLC CONFIRM message is not received by the server. Whether a timer should be added after smc_close_final() needs to be discussed in the future. But even so, this patch provides a faster release for connection in above case, it should also be valuable.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/13/2024

The vulnerability described in CVE-2022-48909 represents a critical connection leak issue within the Linux kernel's Scalable Reliable Communication (SMC) protocol implementation. This flaw manifests in the network subsystem where the SMC protocol fails to properly handle connection cleanup during specific state transitions, creating a scenario where connections remain in an inconsistent state indefinitely. The issue occurs when the kernel attempts to release SMC connections while they are in transitional states, specifically when the connection state moves from SMC_INIT to SMC_ACTIVE following a TCP abort operation. This represents a classic resource management failure that can lead to system exhaustion and denial of service conditions.

The technical root cause involves a race condition between the TCP abort mechanism and the SMC connection state management system. When smc_connect_work processes a connection attempt and subsequently calls tcp_abort(), the TCP stack may discard CLC CONFIRM messages that are still buffered for transmission. These messages contain critical connection tokens necessary for proper peer communication and connection termination. The kernel's state transition logic does not account for this scenario where the abort operation occurs before the peer has received the confirmation, leaving the connection in a limbo state where neither side can properly close the connection. This issue is particularly insidious because it creates a deadlock condition where the connection cannot be fully released or closed, effectively consuming system resources without providing any utility.

The operational impact of this vulnerability extends beyond simple resource consumption to potentially compromise system stability and availability. When multiple connections become stuck in this leaky state, the system's ability to establish new SMC connections diminishes significantly, as available connection slots become exhausted. The vulnerability affects systems heavily reliant on SMC protocols for high-performance communication, particularly in enterprise environments where reliable network communication is critical. The flaw can be exploited by attackers to cause resource exhaustion through sustained connection establishment attempts, leading to denial of service conditions that affect legitimate users and services. This represents a direct violation of the principle of least privilege and resource isolation, as malicious actors can consume system resources without proper authorization.

The mitigation strategy implemented in this patch addresses the immediate issue by modifying the connection release logic to actively abort SMC connections when the state transitions to SMC_ACTIVE following tcp_abort(). This approach follows the principle of fail-fast and prevents the system from entering an inconsistent state where connections remain uncleanly closed. The solution acknowledges that since the state was SMC_INIT before tcp_abort(), abandoning the full disconnection process is acceptable and prevents resource leakage. This fix aligns with CWE-404, which covers improper resource release or cleanup, and addresses the specific ATT&CK technique of resource exhaustion through improper connection management. The patch also demonstrates proper defensive programming by avoiding complex timer mechanisms that could introduce additional complexity while providing a reliable immediate solution. However, the patch notes that future consideration should be given to implementing additional timers to handle edge cases, suggesting this is a foundational fix that may require further refinement in subsequent releases to provide complete coverage of all potential failure scenarios.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00238

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!