Bug 2260261

Summary: kernel: MPTCP and NetLabel double free vulnerability
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, carnil, chwhite, cye, cyin, dbohanno, dcaratti, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, omosnace, prodsec-ir-bot, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the Linux kernel's IPv4 networking stack. Under certain conditions, MPTCP and NetLabel can be configured in a way that triggers a double free memory error in net/ipv4/af_inet.c:inet_sock_destruct(). This may lead to a system crash, denial of service, or potential arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-26 15:51:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2260232    

Description Robb Gatica 2024-01-24 21:38:20 UTC 
Description: 

While testing a bugfix for a different kernel issue, I inadvertently discovered a way to trigger a double free in the IPv4 networking stack via the use of the MPTCP protocol and labeled networking. A similar bug exists with IPv6, but there it only triggers a refcount underflow, which doesn't lead to a double free. Please see the attached shell reproducers (repro.sh for IPv4 and repro6.sh for IPv6), which include a description of the flaw.

The double free requires a few preconditions to be met:
1. SELinux needs to be enabled (can be permissive) and a policy that supports network labeling must be loaded. (This is true in default configuration on Fedora and RHEL. Other Linux Security Modules supporting network labeling, such as SMACK, may also enable this flaw, but I didn't test it.)
2. MPTCP must be available and enabled. (True on Fedora; disabled by default on RHEL-9; unavailable on earlier versions of RHEL.)
3. NetLabel must be configured in a specific way. (Not default on both Fedora and RHEL; can only be done by a privileged user.)

I believe the flaw has been present in the Linux kernel since the initial introduction of MPTCP, though I didn't verify this. I'm not aware of any public discussions about this flaw and I haven't shared it with anyone. I also didn't identify the exact root cause and don't have a fix - I'll leave that to MPTCP/networking experts :) I can assist as an SME for SELinux and NetLabel if needed, though the upstream SELinux maintainers will likely have better knowledge than me (and I presume they will also get involved in the security bugfix process at some point).
Comment 5 Salvatore Bonaccorso 2024-02-26 14:58:30 UTC 
Two questions: 

- Is this issue reported upstream to the Linux upstream?

- Is the reason that the alias CVE-2024-1627 has been removed that the Linux kernel now is a CNA on its own for Linux?

- If the latter, the Red Hat Security Data API still exports that information for the CVE:
  https://access.redhat.com/hydra/rest/securitydata/cve.json?ids=CVE-2024-1627 can you please drop this as well?
Comment 6 Robb Gatica 2024-03-01 21:57:05 UTC 
The CVE is now fully removed and should no longer be present in the Red Hat Security Data API