Linux Kernel MPTCP Subflow Management Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been identified, specifically within the in-kernel performance manager. The issue arises when an MPTCP endpoint is created with both 'signal' and 'subflow' flags, but no subflows are initiated. This scenario can occur if the subflow limit is set to zero or if certain conditions prevent the creation of subflows. When the endpoint is removed, a warning is generated because the local address usage counter has not been incremented, leading to a mismatch in the expected state. This vulnerability was discovered by Syzkaller, a fuzzing tool, which triggered the warning by sending a message that removed a subflow endpoint without properly marking it as used first.

Impact

The vulnerability can lead to a kernel warning and potential instability in the MPTCP implementation, as the state management of subflow endpoints is not handled correctly.

Reproduction

To reproduce this vulnerability, set the MPTCP subflow limit to zero. Then, create an MPTCP endpoint with both the 'signal' and 'subflow' flags. After that, initiate a new MPTCP connection from a different address, which will send an ADD_ADDR linked to the endpoint (using the 'signal' flag), but without starting any subflows (due to the 'subflow' flag). Finally, remove the MPTCP endpoint. This sequence of actions will generate a warning indicating that the local address usage has not been properly accounted for, highlighting the vulnerability.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users can upgrade to the latest version to apply the fix.