CVE-2024-26826
mptcp: fix data re-injection from stale subflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix data re-injection from stale subflow
When the MPTCP PM detects that a subflow is stale, all the packet
scheduler must re-inject all the mptcp-level unacked data. To avoid
acquiring unneeded locks, it first try to check if any unacked data
is present at all in the RTX queue, but such check is currently
broken, as it uses TCP-specific helper on an MPTCP socket.
Funnily enough fuzzers and static checkers are happy, as the accessed
memory still belongs to the mptcp_sock struct, and even from a
functional perspective the recovery completed successfully, as
the short-cut test always failed.
A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize
tcp_sock fast path variables") - exposed the issue, as the tcp field
reorganization makes the mptcp code always skip the re-inection.
Fix the issue dropping the bogus call: we are on a slow path, the early
optimization proved once again to be evil.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mptcp: corrige la reinyección de datos desde un subflujo obsoleto Cuando MPTCP PM detecta que un subflujo está obsoleto, todo el programador de paquetes debe reinyectar todos los datos no codificados del nivel mptcp. Para evitar adquirir bloqueos innecesarios, primero intenta verificar si hay datos no bloqueados presentes en la cola RTX, pero dicha verificación actualmente no funciona, ya que utiliza un asistente específico de TCP en un socket MPTCP. Curiosamente, los fuzzers y los comprobadores estáticos están contentos, ya que la memoria a la que se accede todavía pertenece a la estructura mptcp_sock, e incluso desde una perspectiva funcional la recuperación se completó con éxito, ya que la prueba de acceso directo siempre fallaba. Un cambio reciente de TCP no relacionado (commit d5fed5addb2b ("tcp: reorganizar las variables de ruta rápida de tcp_sock")) expuso el problema, ya que la reorganización del campo tcp hace que el código mptcp siempre omita la reinección. Solucione el problema eliminando la llamada falsa: estamos en un camino lento, la optimización inicial demostró una vez más ser mala.
A flaw was found in the Linux kernel. A logical error in the Multipath TCP packet manager causes some packets intended for retransmission to be lost, resulting in a potential denial of service.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-04-17 CVE Published
- 2024-04-18 EPSS Updated
- 2024-12-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/1e1d9d6f119c55c05e8ea78ed3e49046690abffd | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-26826 | 2024-10-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2275604 | 2024-10-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.149" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.1.79 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.1.79" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.6.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.6.18" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.7.6" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 6.8" | en |
Affected
|