Linux Kernel MPTCP Subflow Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the subflow management. This vulnerability arises from a timing issue between the failure of a subflow and the creation of new subflows, which can lead to improper handling of subflow states. The problem is particularly related to the 'allow_infinite_fallback' flag, which controls the creation of new subflows. When a subflow fails, this flag needs to be managed carefully to prevent additional subflows from being created prematurely. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to improper management of MPTCP subflows, potentially causing subflow failures to be mishandled or ignored, which could disrupt network communications that rely on MPTCP's multipath capabilities.

Reproduction

To reproduce this vulnerability, create a scenario where an MPTCP subflow fails while simultaneously attempting to establish new subflows. This can be done by sending data over an MPTCP connection that triggers a checksum failure, causing the first subflow to fail. While this failure is being processed, initiate the creation of additional subflows. The race condition occurs because the failure of the first subflow and the establishment of new subflows can interfere with each other, leading to a situation where the 'allow_infinite_fallback' flag is not properly managed.

Remediation

The vulnerability has been addressed in the Linux kernel by introducing a separate flag to track the socket state and prevent additional subflow creation, ensuring that this management is protected by the appropriate locks. Users should upgrade to the latest version of the Linux kernel where this patch has been applied.