| **Vulnerability Description:** |
| |
| The vulnerability exists in the Linux kernel's MPTCP (Multipath TCP) protocol implementation, specifically in the `mptcp_release_cb` function. The issue arises from the use of an atomic bit operation to test and clear a specific bit (`MPTCP_DATA_READY`) in the `msk` receive queue. This can lead to a race condition, causing the kernel to access uninitialized memory or perform incorrect operations. |
| |
| **Technical Details:** |
| |
| The vulnerability is triggered when the `mptcp_recvmsg` function is called, which eventually leads to the execution of the `mptcp_release_cb` function. In this function, the `test_and_clear_bit` macro is used to clear the `MPTCP_DATA_READY` bit in the `msk` receive queue. However, this operation is not atomic, and a concurrent access to the same bit can occur, leading to a race condition. |
| |
| **Exploitation:** |
| |
| The vulnerability can be exploited by an attacker who can trigger the execution of the vulnerable code path, potentially leading to a kernel crash or arbitrary code execution. |
| |
| **Fix:** |
| |
| The fix involves replacing the `MPTCP_DATA_READY` bit with direct inspection of the `msk` receive queue. This ensures that the operation is atomic and eliminates the race condition. |
| |
| **Affected Versions:** |
| |
| The vulnerability was introduced in Linux kernel version 5.6 (commit 7a6a6cbc3e59) and fixed in versions 5.14.14 (commit 1a4554e94f0d) and 5.15 (commit 612f71d7328c). |
| |
| **Mitigation:** |
| |
| The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this vulnerability, as well as other bugfixes. Cherry-picking individual commits is not recommended or supported by the Linux kernel community. |
| |
