CVE-2024-53123 - Resolving MPTCP Division by Zero Splat in Linux Kernel

In the Linux kernel, a recent vulnerability has been resolved, which was causing a division by zero splat in the Multipath TCP (MPTCP) protocol. The vulnerability was reported by Eric, who provided a reproducer as well. In this post, we will discuss the details of the vulnerability and the fix that was implemented.

Vulnerability Details

The issue was caused due to the bad handling of racing disconnects in the MPTCP protocol. After a certain commit, the sk_wait_data() function could return (with error) while the underlying socket was disconnected and had a zero rcv_mss. This caused a division by zero error, leading to a kernel panic. The crash log provided by Eric is shown below:

Oops: divide error: 000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID:  PID: 6094 Comm: syz-executor317 Not tainted
6.12.-rc5-syzkaller-00291-g05b92660cdfe #
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 09/13/2024
RIP: 001:__tcp_select_window+x5b4/x131 net/ipv4/tcp_output.c:3163
...

The error occurred in the __tcp_select_window() function in the net/ipv4/tcp_output.c file.

Fix Details

To fix this issue, the error is caught and returned without performing any additional operations on the current socket. The changes were made in the mptcp_rcv_space_adjust function in the net/mptcp/protocol.c file.

To better understand the fix, let's briefly discuss the function

void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied);

The mptcp_rcv_space_adjust function handles the receive window auto-tuning logic for MPTCP sockets. It receives the MPTCP socket (msk) and the amount of copied data (copied) as its parameters.

The fix simply adds an error check after the following line of code

ret = sk_wait_data(subflow->sk, &timeo, last_receive, NULL);

After this line, the following check is added

if (ret < )
    return;

By checking if ret is less than zero, which indicates an error, we can prevent further operations on the current socket, avoiding the division by zero error.

Conclusion

The Linux kernel vulnerability CVE-2024-53123 was caused by poor handling of racing disconnects in the MPTCP protocol, and has been resolved by properly checking for errors and returning early when necessary. This helps ensure that future versions of the Linux kernel will be more stable and secure.

Original references

1. Linux kernel source code
2. MPTCP Protocol

Timeline

Published on: 12/02/2024 14:15:13 UTC
Last modified on: 12/11/2024 21:17:25 UTC