CVE-2024-50085: Linux Kernel Vulnerability - mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow

Description: This vulnerability has recently been resolved in the Linux kernel. Syzkaller, an unsupervised coverage-guided Linux syscall fuzzer, reported this bug, which can lead to a Use-After-Free (UaF) issue in the mptcp_pm_nl_rm_addr_or_subflow file of the Linux kernel (net/mptcp/pm_netlink.c:881). Use-After-Free vulnerabilities can lead to memory corruption, denial of service and potentially even remote code execution.

Details: The link to the original Syzkaller report can be found here. The issue was found in the following version of the Linux kernel: 6.12.-rc2-syzkaller-00307-g36c254515dc6. Below, you can find a snippet of the code showing the problem.

Code snippet

BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+xb44/xcc net/mptcp/pm_netlink.c:881
Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662

[...]

Allocated by task 5387:
kasan_save_stack+x33/x60 mm/kasan/common.c:47
kasan_save_track+x14/x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+xaa/xb mm/kasan/common.c:394

Resolution: To fix the vulnerability, the Linux kernel developers have applied a patch in the mptcp_pm_nl_rm_addr_or_subflow() function. You can find the Linux kernel commit that resolves this issue here.

Recommendation: Users running an affected version of the Linux kernel are strongly recommended to update their system as soon as possible to avoid potential attacks or issues caused by this vulnerability.

References

- Syzkaller bug report
- Linux kernel commit resolving the issue

Closing thoughts: We appreciate the diligent work of the security researchers at Syzkaller and the Linux kernel developers in identifying and fixing this vulnerability. As always, we recommend keeping your systems updated with the latest patches and maintaining a strong security posture to protect against threats.

Timeline

Published on: 10/29/2024 01:15:05 UTC
Last modified on: 10/30/2024 14:49:42 UTC