- Description
- In the Linux kernel, the following vulnerability has been resolved: mptcp: fix sk_forward_memory corruption on retransmission MPTCP sk_forward_memory handling is a bit special, as such field is protected by the msk socket spin_lock, instead of the plain socket lock. Currently we have a code path updating such field without handling the relevant lock: __mptcp_retrans() -> __mptcp_clean_una_wakeup() Several helpers in __mptcp_clean_una_wakeup() will update sk_forward_alloc, possibly causing such field corruption, as reported by Matthieu. Address the issue providing and using a new variant of blamed function which explicitly acquires the msk spin lock.
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 7.1
- Impact score
- 5.2
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-787
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C68A4290-9FFF-4037-9467-4FF878E3085F",
"versionEndExcluding": "5.12.10",
"versionStartIncluding": "5.12"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D"
}
],
"operator": "OR"
}
]
}
]