CVE-2024-50083

In the Linux kernel, the following vulnerability has been resolved:

tcp: fix mptcp DSS corruption due to large pmtu xmit

Syzkaller was able to trigger a DSS corruption:

TCP: requestsocksubflow_v4: Possible SYN flooding on port [::]:20002. Sending cookies. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5227 at net/mptcp/protocol.c:695 __mptcpmoveskbsfromsubflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Modules linked in: CPU: 0 UID: 0 PID: 5227 Comm: syz-executor350 Not tainted 6.11.0-syzkaller-08829-gaf9c191ac2a0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:__mptcpmoveskbsfromsubflow+0x20a9/0x21f0 net/mptcp/protocol.c:695 Code: 0f b6 dc 31 ff 89 de e8 b5 dd ea f5 89 d8 48 81 c4 50 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 98 da ea f5 90 <0f> 0b 90 e9 47 ff ff ff e8 8a da ea f5 90 0f 0b 90 e9 99 e0 ff ff RSP: 0018:ffffc90000006db8 EFLAGS: 00010246 RAX: ffffffff8ba9df18 RBX: 00000000000055f0 RCX: ffff888030023c00 RDX: 0000000000000100 RSI: 00000000000081e5 RDI: 00000000000055f0 RBP: 1ffff110062bf1ae R08: ffffffff8ba9cf12 R09: 1ffff110062bf1b8 R10: dffffc0000000000 R11: ffffed10062bf1b9 R12: 0000000000000000 R13: dffffc0000000000 R14: 00000000700cec61 R15: 00000000000081e5 FS: 000055556679c380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020287000 CR3: 0000000077892000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> moveskbstomsk net/mptcp/protocol.c:811 [inline] mptcpdataready+0x29c/0xa90 net/mptcp/protocol.c:854 subflowdataready+0x34a/0x920 net/mptcp/subflow.c:1490 tcpdataqueue+0x20fd/0x76c0 net/ipv4/tcpinput.c:5283 tcprcvestablished+0xfba/0x2020 net/ipv4/tcpinput.c:6237 tcpv4dorcv+0x96d/0xc70 net/ipv4/tcpipv4.c:1915 tcpv4rcv+0x2dc0/0x37f0 net/ipv4/tcpipv4.c:2350 ipprotocoldeliverrcu+0x22e/0x440 net/ipv4/ipinput.c:205 iplocaldeliverfinish+0x341/0x5f0 net/ipv4/ipinput.c:233 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 NFHOOK+0x3a4/0x450 include/linux/netfilter.h:314 __netifreceiveskbonecore net/core/dev.c:5662 [inline] __netifreceiveskb+0x2bf/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6107 __napipoll+0xcb/0x490 net/core/dev.c:6771 napipoll net/core/dev.c:6840 [inline] netrxaction+0x89b/0x1240 net/core/dev.c:6962 handlesoftirqs+0x2c5/0x980 kernel/softirq.c:554 dosoftirq+0x11b/0x1e0 kernel/softirq.c:455 </IRQ> <TASK> __localbhenableip+0x1bb/0x200 kernel/softirq.c:382 localbhenable include/linux/bottomhalf.h:33 [inline] rcureadunlock_bh include/linux/rcupdate.h:919 [inline] __devqueuexmit+0x1764/0x3e80 net/core/dev.c:4451 devqueuexmit include/linux/netdevice.h:3094 [inline] neighhhoutput include/net/neighbour.h:526 [inline] neighoutput include/net/neighbour.h:540 [inline] ipfinishoutput2+0xd41/0x1390 net/ipv4/ipoutput.c:236 iplocalout net/ipv4/ip_output.c:130 [inline] __ipqueuexmit+0x118c/0x1b80 net/ipv4/ip_output.c:536 __tcptransmitskb+0x2544/0x3b30 net/ipv4/tcpoutput.c:1466 tcptransmitskb net/ipv4/tcpoutput.c:1484 [inline] tcpmtuprobe net/ipv4/tcpoutput.c:2547 [inline] tcpwritexmit+0x641d/0x6bf0 net/ipv4/tcpoutput.c:2752 __tcppushpendingframes+0x9b/0x360 net/ipv4/tcpoutput.c:3015 tcppushpendingframes include/net/tcp.h:2107 [inline] tcpdatasndcheck net/ipv4/tcpinput.c:5714 [inline] tcprcvestablished+0x1026/0x2020 net/ipv4/tcpinput.c:6239 tcpv4dorcv+0x96d/0xc70 net/ipv4/tcpipv4.c:1915 skbacklogrcv include/net/sock.h:1113 [inline] __releasesock+0x214/0x350 net/core/sock.c:3072 releasesock+0x61/0x1f0 net/core/sock.c:3626 mptcppush ---truncated---