CVE-2023-54176

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: stricter state check in mptcp_worker<br /> <br /> As reported by Christoph, the mptcp protocol can run the<br /> worker when the relevant msk socket is in an unexpected state:<br /> <br /> connect()<br /> // incoming reset + fastclose<br /> // the mptcp worker is scheduled<br /> mptcp_disconnect()<br /> // msk is now CLOSED<br /> listen()<br /> mptcp_worker()<br /> <br /> Leading to the following splat:<br /> <br /> divide error: 0000 [#1] PREEMPT SMP<br /> CPU: 1 PID: 21 Comm: kworker/1:0 Not tainted 6.3.0-rc1-gde5e8fd0123c #11<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> Workqueue: events mptcp_worker<br /> RIP: 0010:__tcp_select_window+0x22c/0x4b0 net/ipv4/tcp_output.c:3018<br /> RSP: 0018:ffffc900000b3c98 EFLAGS: 00010293<br /> RAX: 000000000000ffd7 RBX: 000000000000ffd7 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff8214ce97 RDI: 0000000000000004<br /> RBP: 000000000000ffd7 R08: 0000000000000004 R09: 0000000000010000<br /> R10: 000000000000ffd7 R11: ffff888005afa148 R12: 000000000000ffd7<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000405270 CR3: 000000003011e006 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> tcp_select_window net/ipv4/tcp_output.c:262 [inline]<br /> __tcp_transmit_skb+0x356/0x1280 net/ipv4/tcp_output.c:1345<br /> tcp_transmit_skb net/ipv4/tcp_output.c:1417 [inline]<br /> tcp_send_active_reset+0x13e/0x320 net/ipv4/tcp_output.c:3459<br /> mptcp_check_fastclose net/mptcp/protocol.c:2530 [inline]<br /> mptcp_worker+0x6c7/0x800 net/mptcp/protocol.c:2705<br /> process_one_work+0x3bd/0x950 kernel/workqueue.c:2390<br /> worker_thread+0x5b/0x610 kernel/workqueue.c:2537<br /> kthread+0x138/0x170 kernel/kthread.c:376<br /> ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308<br /> <br /> <br /> This change addresses the issue explicitly checking for bad states<br /> before running the mptcp worker.