Linux Kernel MPTCP Out-of-Order Data Handling Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been addressed. The issue arose from the MPTCP-level out-of-order (OoO) data being incorrectly accounted for in the MPTCP receive buffer growth function. This mismanagement could lead to the receive buffer drifting towards the maximum TCP receive memory limit, potentially causing performance issues. Additionally, the flaw introduced a rare race condition that could trigger a divide-by-zero error, crashing the kernel. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could cause a kernel crash due to a divide-by-zero error, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by activating multiple MPTCP subflows concurrently, which will naturally create out-of-order data scenarios. This can be done by establishing MPTCP connections that utilize different subflows, such as TCP over different network interfaces or paths. Once the out-of-order data is generated, the MPTCP receive buffer will incorrectly account for this, allowing the buffer to drift towards the maximum TCP receive memory limit. This mismanagement can be observed by monitoring the receive buffer size and noting any unintended increases that align with the introduction of out-of-order data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.