CVE-2024-45009 mptcp: pm: only decrement add_addr_accepted for MPJ req

2024-09-1115:13:47

Linux

www.cve.org

linux kernel

mptcp

vulnerability

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

mptcp: pm: only decrement add_addr_accepted for MPJ req

Adding the following warning …

WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)

… before decrementing the add_addr_accepted counter helped to find a
bug when running the “remove single subflow” subtest from the
mptcp_join.sh selftest.

Removing a ‘subflow’ endpoint will first trigger a RM_ADDR, then the
subflow closure. Before this patch, and upon the reception of the
RM_ADDR, the other peer will then try to decrement this
add_addr_accepted. That’s not correct because the attached subflows have
not been created upon the reception of an ADD_ADDR.

A way to solve that is to decrement the counter only if the attached
subflow was an MP_JOIN to a remote id that was not 0, and initiated by
the host receiving the RM_ADDR.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mptcp/pm_netlink.c"
    ],
    "versions": [
      {
        "version": "d0876b2284cf",
        "lessThan": "35b31f5549ed",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "d0876b2284cf",
        "lessThan": "85b866e4c4e6",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "d0876b2284cf",
        "lessThan": "d20bf2c96d7f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "d0876b2284cf",
        "lessThan": "2060f1efab37",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "d0876b2284cf",
        "lessThan": "1c1f72137598",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/mptcp/pm_netlink.c"
    ],
    "versions": [
      {
        "version": "5.10",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.10",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.167",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.107",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.48",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.7",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]