Linux Kernel MPTCP Race Condition Vulnerability in Timer Management

A race condition vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the MPTCP performance management module. The issue arises in the 'mptcp_pm_del_add_timer()' function, which can inadvertently call 'sk_stop_timer_sync()' on a timer entry that has already been freed. This flaw, reported by syzbot, leads to a use-after-free error, where a deleted memory address is accessed, potentially causing memory corruption or other unintended behavior.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption. Such conditions can often be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by sending MPTCP packets that trigger the 'mptcp_pm_del_add_timer()' function. This can be done by establishing an MPTCP connection and then manipulating the timing of packet acknowledgments, causing the function to stop a timer for an entry that may have already been freed. The use-after-free can be observed by enabling Kernel Address Sanitizer (KASAN), which will report the memory access violation.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.