CVE-2023-53839

Vulnerability

A data race exists in the Linux kernel's Datagram Congestion Control Protocol (DCCP) implementation around the dp->dccps_mss_cache variable. Both dccp_sendmsg() and do_dccp_getsockopt() read this cache without holding the socket lock, while other code paths may write to it concurrently. This lack of synchronization can result in the use of stale or inconsistent Maximum Segment Size (MSS) values.

Exploitation

The race is triggered when multiple threads access the same DCCP socket simultaneously. An attacker with the ability to send data or query socket options on a DCCP socket could cause a read of dccps_mss_cache to occur while another thread is updating it. No special privileges beyond network access are required, as the race can occur during normal socket operations.

Impact

An incorrect MSS value can lead to packet fragmentation errors, connection instability, or denial of service. The exact consequences depend on the timing of the race, but any deviation from the expected MSS may cause the kernel to generate malformed packets or fail to properly handle incoming data.

Mitigation

The fix introduces READ_ONCE() and WRITE_ONCE() annotations to ensure atomic reads and writes of the cache, and modifies dccp_sendmsg() to re-check the value after acquiring the socket lock. These patches have been applied to stable kernel branches [1][2][3]. Users should update to the latest stable kernel to eliminate the race.