Bug 1220146

Summary: kernel: MPTCP and NetLabel double free vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, meissner, mkoutny, mkubecek, stoyan.manolov, thomas.leroy, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394517/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-21 09:59:58 UTC 
Description: 

While testing a bugfix for a different kernel issue, I inadvertently discovered a way to trigger a double free in the IPv4 networking stack via the use of the MPTCP protocol and labeled networking. A similar bug exists with IPv6, but there it only triggers a refcount underflow, which doesn't lead to a double free. Please see the attached shell reproducers (repro.sh for IPv4 and repro6.sh for IPv6), which include a description of the flaw.

The double free requires a few preconditions to be met:
1. SELinux needs to be enabled (can be permissive) and a policy that supports network labeling must be loaded. (This is true in default configuration on Fedora and RHEL. Other Linux Security Modules supporting network labeling, such as SMACK, may also enable this flaw, but I didn't test it.)
2. MPTCP must be available and enabled. (True on Fedora; disabled by default on RHEL-9; unavailable on earlier versions of RHEL.)
3. NetLabel must be configured in a specific way. (Not default on both Fedora and RHEL; can only be done by a privileged user.)

I believe the flaw has been present in the Linux kernel since the initial introduction of MPTCP, though I didn't verify this. I'm not aware of any public discussions about this flaw and I haven't shared it with anyone. I also didn't identify the exact root cause and don't have a fix - I'll leave that to MPTCP/networking experts :) I can assist as an SME for SELinux and NetLabel if needed, though the upstream SELinux maintainers will likely have better knowledge than me (and I presume they will also get involved in the security bugfix process at some point).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1627
https://bugzilla.redhat.com/show_bug.cgi?id=2260261
Comment 1 Joey Lee 2024-02-23 05:59:18 UTC 
Currently I didn't find patch or any useful source code information for CVE-2024-1627. 
Because this CVE is about IP and SELinux. I still add Michel to Cc list.