CVE-2025-23145
01.05.2025, 13:15
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854) tcp_check_req (./net/ipv4/tcp_minisocks.c:863) tcp_v4_rcv (./net/ipv4/tcp_ipv4.c:2268) ip_protocol_deliver_rcu (./net/ipv4/ip_input.c:207) ip_local_deliver_finish (./net/ipv4/ip_input.c:234) ip_local_deliver (./net/ipv4/ip_input.c:254) ip_rcv_finish (./net/ipv4/ip_input.c:449) ... According to the debug log, the same req received two SYN-ACK in a very short time, very likely because the client retransmits the syn ack due to multiple reasons. Even if the packets are transmitted with a relevant time interval, they can be processed by the server on different CPUs concurrently). The 'subflow_req->msk' ownership is transferred to the subflow the first, and there will be a risk of a null pointer dereference here. This patch fixes this issue by moving the 'subflow_req->msk' under the `own_req == true` conditional. Note that the !msk check in subflow_hmac_valid() can be dropped, because the same check already exists under the own_req mpj branch where the code has been moved to.Enginsight
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 5.9 ≤ 𝑥 < 5.10.237 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.181 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.135 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.88 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.24 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.13.12 |
| linux | linux_kernel | 6.14 ≤ 𝑥 < 6.14.3 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References