Linux Kernel MPTCP Subflow Initialization Slab-Use-After-Free Vulnerability

A slab-use-after-free vulnerability has been identified in the Linux kernel's implementation of Multipath TCP (MPTCP) for IPv6. This issue arises from improper initialization of the TCPv6 protocol within the MPTCP subflow management, leading to child sockets being allocated from a memory pool that does not ensure safe memory handling. Consequently, when these sockets are freed, the memory can be quickly reused, allowing concurrent operations to access freed memory and causing a use-after-free condition. This vulnerability affects the Linux kernel's stable releases, specifically in the MPTCP implementation that handles IPv6 subflows.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where freed memory is accessed while still in use, potentially causing memory corruption or allowing arbitrary code execution.

Reproduction

The vulnerability can be reproduced by initializing MPTCP with IPv6 support. During the initialization process, the MPTCP subflow management incorrectly handles the TCPv6 protocol setup, causing child sockets to be allocated from a memory pool that lacks proper safeguards against concurrent memory access issues. This mismanagement creates a window where the ehash table lookups can access freed memory, triggering the slab-use-after-free condition.

Remediation

The vulnerability has been fixed by separating the IPv6-specific initialization into a dedicated function, ensuring that the TCPv6 protocol is correctly set up before it is used. Users should upgrade to the latest stable version of the Linux kernel where this fix has been applied.