| The vulnerability occurs in the Linux kernel's Multipath TCP (MPTCP) protocol, specifically in the `mptcp_frag_can_collapse_to()` function. This function assumes that only MPTCP uses the given page fragment, but if other protocols like plain TCP allocate page fragments, it can lead to reusing already allocated memory for `mptcp_data_frag`. This results in data stream corruption. |
| |
| The issue arises when a TCP transparent proxy is forced to use the MPTCP protocol for inbound connections. The problem can be reproduced using a clean reproducer provided by Maxim. To fix this issue, the patch ensures that the to-be-expanded data fragment is located at the current page frag end, preventing memory reusage and subsequent data corruption. |
| |
| The vulnerability was introduced in kernel version 5.7 with commit 18b683bff89d and has been fixed in versions 5.10.42 (commit 3267a061096e), 5.12.9 (commit 18e7f0580da1), and 5.13 (commit 29249eac5225). The affected file is `net/mptcp/protocol.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, as individual changes are not tested or supported alone. |
| |
