Bug 2281282 (CVE-2024-35840)

Summary: CVE-2024-35840 kernel: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, sukulkar, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.15.148, kernel 6.1.75, kernel 6.6.14, kernel 6.7.2, kernel 6.8 Doc Type: If docs needed, set a value
Doc Text:
CVE-2024-35840 is a vulnerability in the Linux kernel’s Multipath TCP (MPTCP) implementation. It occurs because the subflow_finish_connect() function may handle uninitialized data in certain fields if a specific MPTCP option (OPTION_MPTCP_MPJ_SYNACK) is not correctly set during option parsing. This could lead to unpredictable behavior in MPTCP connections. The issue has been resolved by ensuring proper initialization and handling of these fields.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2281283    
Bug Blocks: 2281767    

Description Zack Miele 2024-05-18 00:47:17 UTC 
In the Linux kernel, the following vulnerability has been resolved:

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

The Linux kernel CVE team has assigned CVE-2024-35840 to this issue.

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024051756-CVE-2024-35840-99fa@gregkh/T
Comment 2 Zack Miele 2024-05-18 00:48:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2281283]
Comment 6 Alex 2024-06-09 13:45:22 UTC 
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-35840 is: 	SKIP	The Fixes patch not applied yet, so unlikely that actual: f296234c98a8	YES			NO	YES	unknown	 (where first YES/NO value means if related sources built).
Comment 7 errata-xmlrpc 2024-11-12 09:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9315 https://access.redhat.com/errata/RHSA-2024:9315