Linux Kernel MPTCP ADD_ADDR Retransmission Timer Vulnerability

A vulnerability in the Linux kernel's Multipath TCP (MPTCP) implementation has been addressed. The issue arose when an ADD_ADDR message was retransmitted, causing the associated socket to be held in a timer and released later. If this was the last reference to the socket, it would not be freed properly. The incorrect handling meant that the socket management functions could lead to a deadlock situation by waiting indefinitely for the timer to expire. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could lead to a deadlock, where the system waits indefinitely for a timer to expire, causing a stall in the socket management process.

Reproduction

The vulnerability can be reproduced by retransmitting an ADD_ADDR message in the MPTCP implementation. This can be done by simulating a scenario where the ADD_ADDR message times out and is retransmitted. During this process, the socket's timer management can be observed, showing how the last reference to the socket is not freed properly, leading to a deadlock.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been fixed.