| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050124-CVE-2025-23142-ac59@gregkh>
Date: Thu, 1 May 2025 14:56:22 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-23142: sctp: detect and prevent references to a freed transport in sendmsg
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
sctp: detect and prevent references to a freed transport in sendmsg
sctp_sendmsg() re-uses associations and transports when possible by
doing a lookup based on the socket endpoint and the message destination
address, and then sctp_sendmsg_to_asoc() sets the selected transport in
all the message chunks to be sent.
There's a possible race condition if another thread triggers the removal
of that selected transport, for instance, by explicitly unbinding an
address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have
been set up and before the message is sent. This can happen if the send
buffer is full, during the period when the sender thread temporarily
releases the socket lock in sctp_wait_for_sndbuf().
This causes the access to the transport data in
sctp_outq_select_transport(), when the association outqueue is flushed,
to result in a use-after-free read.
This change avoids this scenario by having sctp_transport_free() signal
the freeing of the transport, tagging it as "dead". In order to do this,
the patch restores the "dead" bit in struct sctp_transport, which was
removed in
commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").
Then, in the scenario where the sender thread has released the socket
lock in sctp_wait_for_sndbuf(), the bit is checked again after
re-acquiring the socket lock to detect the deletion. This is done while
holding a reference to the transport to prevent it from being freed in
the process.
If the transport was deleted while the socket lock was relinquished,
sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the
send.
The bug was found by a private syzbot instance (see the error report [1]
and the C reproducer that triggers it [2]).
The Linux kernel CVE team has assigned CVE-2025-23142 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.1.135 with commit 7a63f4fb0efb4e69efd990cbb740a848679ec4b0
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.6.88 with commit c6fefcb71d246baaf3bacdad1af7ff50ebcfe652
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.12.24 with commit 9e7c37fadb3be1fc33073fcf10aa96d166caa697
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.13.12 with commit 5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.14.3 with commit 2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee
Issue introduced in 4.20 with commit df132eff463873e14e019a07f387b4d577d6d1f9 and fixed in 6.15-rc2 with commit f1a69a940de58b16e8249dff26f74c8cc59b32be
Issue introduced in 3.18.128 with commit 26e51e5287eed4d96ea66a3da95429f42940f013
Issue introduced in 4.4.166 with commit 8b97e045bd6d37f96f161e4d371ae174148e1587
Issue introduced in 4.9.142 with commit e044554e97e812eb257d073bcc130e0ea653858f
Issue introduced in 4.14.85 with commit 8376fdc999be008f0e9918db52f1ed8c08f5a1c9
Issue introduced in 4.19.6 with commit cd947138e8c31e8cfcd489c12e9b97271beb6e79
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-23142
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/net/sctp/structs.h
net/sctp/socket.c
net/sctp/transport.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7a63f4fb0efb4e69efd990cbb740a848679ec4b0
https://git.kernel.org/stable/c/c6fefcb71d246baaf3bacdad1af7ff50ebcfe652
https://git.kernel.org/stable/c/9e7c37fadb3be1fc33073fcf10aa96d166caa697
https://git.kernel.org/stable/c/5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2
https://git.kernel.org/stable/c/2e5068b7e0ae0a54f6cfd03a2f80977da657f1ee
https://git.kernel.org/stable/c/f1a69a940de58b16e8249dff26f74c8cc59b32be
Powered by blists - more mailing lists