Linux Kernel MPTCP Uninitialized Memory Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been identified, where certain sub-option status bitfields are not properly initialized or cleared before being parsed. This issue can lead to the use of uninitialized values in the MPTCP option handling, potentially causing undefined behavior. The vulnerability was triggered by syzbot, exposing a path where a relevant bitfield remained uncleared, allowing for the propagation of uninitialized data through the MPTCP protocol handling.

Impact

Exploitation of this vulnerability could lead to the use of uninitialized memory in the MPTCP implementation, which can cause undefined behavior in the kernel, potentially allowing for memory corruption or other malicious actions.

Reproduction

The vulnerability can be reproduced by sending MPTCP packets that include specific sub-options, taking advantage of the MPTCP option parsing process. The uninitialized bitfields can be observed by monitoring the MPTCP option handling in the kernel, particularly in the 'mptcp_incoming_options' function, where the uninitialized values can propagate through the MPTCP state management, such as in 'mptcp_close_ssk' and 'mptcp_pm_nl_rm_subflow_received' functions.