Linux Kernel MPTCP Protocol Improper State Handling in Worker Function Leading to Division Error

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation allows the protocol to execute the worker function when the associated socket is in an invalid state. This issue arises after a connection reset is received and the socket is closed, yet the MPTCP worker is still scheduled to run. The improper state management can cause a division error, disrupting normal processing. This vulnerability affects Linux kernel versions 6.3.0-rc1 and prior.

Impact

Exploitation of this vulnerability leads to a division error, causing a crash in the kernel's workqueue processing.

Reproduction

The vulnerability can be reproduced by initiating a connection that triggers a reset, followed by a fast close of the socket. Despite the socket being closed, the MPTCP worker is scheduled to run, which can be done by simulating an incoming reset on a fast-closed socket. When the worker executes, it attempts to process the socket as if it were in a valid state, leading to the division error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been addressed.