The Linux kernel recently resolved a vulnerability (CVE-2024-53122) related to the multipath TCP (MPTCP) subsystem. The issue occurs due to a racing condition in subflow creation which may result in a divide by zero error. In this post, we will describe the vulnerability, provide a code snippet demonstrating the fix, and present details about the exploit.

Vulnerability Details

The vulnerability is found in the MPTCP subsystem, specifically in the mptcp_rcv_space_adjust function. It is caused by a racing condition between the creation of new subflows and the receipt of data on already established subflows.

During the process of establishing subflows, the MPTCP path manager may create additional active subflows and include them in the subflow list before starting the three-way handshake (3whs). If a recvmsg() is called to receive data on an established subflow at the same time, the function would unconditionally call tcp_cleanup_rbuf() on all current subflows, potentially resulting in a divide by zero error on the newly created ones.

Code Snippet

The fix for this vulnerability lies in explicitly checking the subflow's state before invoking tcp_cleanup_rbuf(). The following code snippet demonstrates this change.

// Check if the subflow is in a suitable state before invoking tcp_cleanup_rbuf().
if (subflow && subflow->sk && mptcp_subflow_tcp_fully_established(subflow))
{
    tcp_cleanup_rbuf(subflow->sk, copied);
}

By adding the condition to check if the subflow is fully established, the risk of a divide by zero error is mitigated.

Original References

1. CVE-2024-53122 - NVD
2. MPTCP Resolved Issues - Scroll down to find "mptcp: cope racing subflow creation in mptcp_rcv_space_adjust"
3. Multipath TCP (MPTCP) Homepage

Exploit Details

An attacker exploiting this vulnerability would need to be in a position to control or manipulate the MPTCP subflow creation and data transfers. This exploit scenario may arise when an attacker is present on the same network as the vulnerable system or has compromised an intermediary device between the two endpoints involved in MPTCP communication.

Upon successfully triggering the racing condition, the attacker may cause a divide by zero error in the kernel, leading to a potential denial of service or further exploitation to gain unauthorized access or privileges.

In conclusion, the Linux kernel has addressed this vulnerability by adding an explicit check for the subflow state before invoking tcp_cleanup_rbuf(). System administrators and users should ensure they are running the latest version of the kernel to protect against this vulnerability and other potential threats.

Timeline

Published on: 12/02/2024 14:15:13 UTC
Last modified on: 12/19/2024 09:39:46 UTC