Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:mptcp: fix NULL pointer in can_accept_new_subflowWhen testing valkey benchmark tool with MPTCP, the kernel panics in'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL.Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ...According to the debug log, the same req received two SYN-ACK in a veryshort time, very likely because the client retransmits the syn ack dueto multiple reasons.Even if the packets are transmitted with a relevant time interval, theycan be processed by the server on different CPUs concurrently). The'subflow_req->msk' ownership is transferred to the subflow the first,and there will be a risk of a null pointer dereference here.This patch fixes this issue by moving the 'subflow_req->msk' under the`own_req == true` conditional.Note that the !msk check in subflow_hmac_valid() can be dropped, becausethe same check already exists under the own_req mpj branch where thecode has been moved to.
No PoCs from references.
- https://github.com/w4zu/Debian_security