Linux Kernel TIPC Module Divide-By-Zero Vulnerability in Connection Timeout Handling

A divide-by-zero vulnerability has been identified in the Linux kernel's TIPC (Transparent Inter-Process Communication) module. This issue arises in the function 'tipc_sk_filter_connect()', where a user can set the connection timeout to any value, including those less than 4. When a SYN packet is rejected due to overload, the function attempts to calculate a delay based on the connection timeout. If the timeout is between 0 and 3, the calculation results in zero, leading to a divide-by-zero error. This error causes a kernel oops or panic, disrupting system stability. The vulnerability affects several versions of the Linux kernel, including 7.0.0-rc2.

Impact

Exploitation of this vulnerability causes a kernel oops or panic, leading to a system crash.

Reproduction

To reproduce this vulnerability, set the TIPC connection timeout to a value less than 4 using the 'setsockopt' function. Then, initiate a connection that is rejected with the TIPC_ERR_OVERLOAD error. This will trigger the 'tipc_sk_filter_connect()' function, where the invalid timeout value will cause a divide-by-zero error.

Remediation

The vulnerability has been addressed by modifying the TIPC socket connection handling to ensure that the connection timeout is clamped to a minimum of 4. Users should update to the latest version of the Linux kernel where this fix has been applied.