CVE-2023-54306

Vulnerability

Description

In the Linux kernel's TLS implementation, a vulnerability exists where tasks may become permanently hung on the tx_lock mutex. The root cause is that a thread that acquires the lock can sleep indefinitely, as an adversarial receiver can keep the receive window (RWIN) at 0 for an extended period, preventing forward progress. This leads to a denial-of-service condition where the system hangs and tasks never complete.

Exploitation

An attacker with the ability to act as a TLS receiver can exploit this by intentionally setting the receive window to 0. This prevents the sender from making progress when it has data to transmit. The sender's thread, which holds the tx_lock, then goes to sleep waiting for the window to open, but the attacker never allows it, causing the thread to sleep for hours. No authentication on the network level is required beyond establishing a TLS connection, making this a straightforward resource starvation attack.

Impact

The primary impact is a denial-of-service on the kernel TLS subsystem. The kernel thread handling TLS transmission becomes permanently blocked, which can cascade to affect other network operations or lead to a system hang. Userspace applications relying on TLS may experience complete loss of network communication, potentially leading to downtime in services that depend on the kernel's TLS offload (kTLS).

Mitigation

The fix, as committed in the Linux kernel stable trees, changes the sleep behavior to be interruptible and reschedules the work if the lock cannot be taken immediately. This prevents tasks from hanging indefinitely by allowing them to be interrupted and retried later. Users should update their kernel to include the fix, referenced by commits [1], [2], and [3]. No workarounds are documented, as the vulnerability is in the kernel code itself and requires a kernel patch to address.