Linux Kernel MCTP Route Key Lock Vulnerability

A vulnerability in the Linux kernel's Message Control Transport Protocol (MCTP) routing can lead to a resource leak. The issue arises because the function 'mctp_flow_prepare_output()' does not properly manage access to 'key->dev' by holding the associated lock, 'key->lock', as required. This oversight creates a race condition where the 'key->dev' value can be overwritten, causing a reference to be lost. The vulnerability affects the stable versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a resource leak, where references to device keys are not properly released, potentially causing memory management issues.

Reproduction

The vulnerability can be reproduced by invoking the 'mctp_sendmsg()' function, which triggers the 'mctp_flow_prepare_output()' function without holding the necessary lock. This sequence creates a race condition where the 'key->dev' value can be manipulated concurrently, leading to the described resource leak.

Remediation

The vulnerability has been fixed by modifying the 'mctp_flow_prepare_output()' function to include 'key->lock' around the 'key->dev' checks and the calls to 'mctp_dev_set_key()'. Users should upgrade to the patched version of the Linux kernel.