CVE-2022-48906 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

mptcp: Correctly set DATA_FIN timeout when number of retransmits is large

Syzkaller with UBSAN uncovered a scenario where a large number of DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN timeout calculation:

================================================================================ UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: events mptcp_worker Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330 mptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]
__mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445 mptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528 process_one_work+0x9df/0x16d0 kernel/workqueue.c:2307 worker_thread+0x95/0xe10 kernel/workqueue.c:2454 kthread+0x2f4/0x3b0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ================================================================================

This change limits the maximum timeout by limiting the size of the shift, which keeps all intermediate values in-bounds.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/28/2024

The vulnerability identified as CVE-2022-48906 resides within the Linux kernel's Multipath TCP implementation, specifically affecting the DATA_FIN timeout calculation mechanism. This issue was discovered through systematic testing using Syzkaller with UBSAN (Undefined Behavior Sanitizer) which revealed a critical shift-out-of-bounds condition during network packet processing. The flaw manifests when the MPTCP subsystem encounters a scenario with a large number of DATA_FIN retransmissions, triggering an arithmetic overflow in the timeout calculation logic. The root cause lies in the improper handling of bit shifting operations where a 32-bit unsigned integer receives a shift exponent of 32, which exceeds the maximum allowable shift for that data type according to the C language standard.

The technical implementation of this vulnerability demonstrates a classic case of integer overflow exploitation within kernel space networking code. The mptcp_set_datafin_timeout function in net/mptcp/protocol.c at line 470 performs a bit shift operation that becomes invalid when the retransmission count reaches certain thresholds. This condition creates a scenario where intermediate calculations exceed the bounds of the unsigned int data type, leading to undefined behavior that could potentially be exploited by malicious actors. The call trace indicates this occurs within the mptcp_worker function, which processes MPTCP retransmission events, making it a critical path in the kernel's network stack processing. According to CWE-195, this represents an implementation flaw where signedness is ignored during arithmetic operations, while the ATT&CK framework would categorize this under privilege escalation through kernel exploitation techniques.

The operational impact of this vulnerability extends beyond simple denial-of-service conditions, as it could potentially allow attackers to manipulate network connection states and disrupt multipath TCP communications. When the kernel encounters a large number of retransmissions, the improper bit shifting causes unpredictable behavior in the timeout calculation, which governs how long the system waits before considering a connection as terminated. This affects the reliability of multipath TCP connections, particularly in environments where network instability or packet loss is common, such as wireless networks or congested network paths. The vulnerability is particularly concerning because it operates at the kernel level, meaning any successful exploitation could lead to system instability or even complete system crashes. The UBSAN detection mechanism was specifically designed to catch such undefined behavior patterns, indicating that this is not a theoretical vulnerability but a real risk in production systems running affected kernel versions.

Mitigation strategies for this vulnerability require immediate kernel updates to versions containing the patched implementation that properly bounds the shift operations in the DATA_FIN timeout calculation. The fix implemented addresses the core issue by limiting the maximum timeout value and controlling the size of the shift operation to prevent overflow conditions. System administrators should prioritize patching affected systems, particularly those running kernel versions between 5.17.0-rc2 and the patched releases. Organizations should also implement monitoring for unusual network behavior patterns that might indicate exploitation attempts, while ensuring that MPTCP is properly configured in their network environments. The patch demonstrates proper defensive programming practices by implementing bounds checking and preventing arithmetic overflow conditions that could lead to system instability. Security teams should also consider implementing network segmentation and access controls to limit potential attack vectors that could leverage this vulnerability, particularly in environments where multipath TCP is actively used for high-performance networking.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00207

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!