Linux Kernel Multipath TCP Address Flush Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's Multipath TCP (MPTCP) implementation, specifically within the address flushing process of the Netlink interface. This vulnerability affects the MPTCP connection management and can lead to crashes when handling local IDs or backup states. The issue arises because the function responsible for flushing addresses is not properly synchronized for Read-Copy Update (RCU) operations, creating a timing conflict that can disrupt normal processing.

Impact

Exploitation of this vulnerability causes crashes in the MPTCP Netlink address management functions, disrupting the handling of local IDs and backup states, which can lead to instability in applications relying on MPTCP.

Reproduction

The vulnerability can be reproduced by triggering the MPTCP Netlink address flushing process while the associated lock is held, causing a race condition that leads to a crash. This can be done by manually invoking the address flush operation through the Netlink interface, while simultaneously holding the pernet lock, which is a spinlock used for synchronization in the MPTCP Netlink address management.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is available in the Linux stable tree.