In the Linux kernel, the following vulnerability has been resolved:
tcp: fix tcpinittransfer() to not reset icskcainitialized
This commit fixes a bug (found by syzkaller) that could cause spurious double-initializations for congestion control modules, which could cause memory leaks or other problems for congestion control modules (like CDG) that allocate memory in their init functions.
The buggy scenario constructed by syzkaller was something like:
(1) create a TCP socket (2) initiate a TFO connect via sendto() (3) while socket is in TCPSYNSENT, call setsockopt(TCPCONGESTION), which calls: tcpsetcongestioncontrol() -> tcpreinitcongestioncontrol() -> tcpinitcongestioncontrol() (4) receive ACK, connection is established, call tcpinittransfer(), set icskcainitialized=0 (without first calling cc->release()), call tcpinitcongestion_control() again.
Note that in this sequence tcpinitcongestion_control() is called twice without a cc->release() call in between. Thus, for CC modules that allocate memory in their init() function, e.g, CDG, a memory leak may occur. The syzkaller tool managed to find a reproducer that triggered such a leak in CDG.
The bug was introduced when that commit 8919a9b31eb4 ("tcp: Only init congestion control if not initialized already") introduced icskcainitialized and set icskcainitialized to 0 in tcpinittransfer(), missing the possibility for a sequence like the one above, where a process could call setsockopt(TCPCONGESTION) in state TCPSYNSENT (i.e. after the connect() or TFO open sendmsg()), which would call tcpinitcongestioncontrol(). It did not intend to reset any initialization that the user had already explicitly made; it just missed the possibility of that particular sequence (which syzkaller managed to find).