CVE-2024-36889: mptcp: ensure snd_nxt is properly initialized on connect
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure sndnxt is properly initialized on connect
Christoph reported a splat hinting at a corrupted snduna:
WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 mptcpcleanuna+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted 6.9.0-rc1-gbbeac67456c9 #59 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcpworker RIP: 0010:mptcpcleanuna+0x4b3/0x620 net/mptcp/protocol.c:1005 Code: be 06 01 00 00 bf 06 01 00 00 e8 a8 12 e7 fe e9 00 fe ff ff e8 8e 1a e7 fe 0f b7 ab 3e 02 00 00 e9 d3 fd ff ff e8 7d 1a e7 fe <0f> 0b 4c 8b bb e0 05 00 00 e9 74 fc ff ff e8 6a 1a e7 fe 0f 0b e9 RSP: 0018:ffffc9000013fd48 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8881029bd280 RCX: ffffffff82382fe4 RDX: ffff8881003cbd00 RSI: ffffffff823833c3 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888138ba8000 R13: 0000000000000106 R14: ffff8881029bd908 R15: ffff888126560000 FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f604a5dae38 CR3: 0000000101dac002 CR4: 0000000000170ef0 Call Trace: <TASK> mptcpcleanunawakeup net/mptcp/protocol.c:1055 [inline] mptcpcleanunawakeup net/mptcp/protocol.c:1062 [inline] mptcpretrans+0x7f/0x7e0 net/mptcp/protocol.c:2615 mptcpworker+0x434/0x740 net/mptcp/protocol.c:2767 processonework+0x1e0/0x560 kernel/workqueue.c:3254 processscheduledworks kernel/workqueue.c:3335 [inline] workerthread+0x3c7/0x640 kernel/workqueue.c:3416 kthread+0x121/0x170 kernel/kthread.c:388 retfromfork+0x44/0x50 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:243 </TASK>
When fallback to TCP happens early on a client socket, sndnxt is not yet initialized and any incoming ack will copy such value into snduna. If the mptcp worker (dumbly) tries mptcp-level re-injection after such ack, that would unconditionally trigger a send buffer cleanup using 'bad' snduna values.
We could easily disable re-injection for fallback sockets, but such dumb behavior already helped catching a few subtle issues and a very low to zero impact in practice.
Instead address the issue always initializing sndnxt (and writeseq, for consistency) at connect time.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
mptcp: ensure sndnxt is properly initialized on connect
The Linux kernel CVE team has assigned CVE-2024-36889 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024053033-CVE-2024-36889-222d@gregkh/T
— Red Hat
Linux Kernel is vulnerable to a denial of service, caused by the failure to ensure sndnxt is properly initialized on connect. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-36889?
CVE-2024-36889 is classified as a moderate severity vulnerability in the Linux kernel.
How do I fix CVE-2024-36889?
To fix CVE-2024-36889, update your Linux kernel to the versions 5.10.218, 5.15.159, 6.1.91, 6.6.31, 6.8.10, or 6.9 as appropriate.
Which versions of the Linux kernel are affected by CVE-2024-36889?
CVE-2024-36889 affects various versions of the Linux kernel prior to the specified patched versions.
What impact does CVE-2024-36889 have on Linux systems?
CVE-2024-36889 can lead to issues related to improper initialization of the snd_nxt variable on connection, potentially causing system errors.
Who reported the CVE-2024-36889 vulnerability?
The CVE-2024-36889 vulnerability was reported by Christoph.