| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091548-CVE-2022-50243-4311@gregkh> Date: Mon, 15 Sep 2025 16:01:51 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50243: sctp: handle the error returned from sctp_auth_asoc_init_active_key From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734 This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens. The Linux kernel CVE team has assigned CVE-2022-50243 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19.199 with commit 50b57223da67653c61e405d0a7592355cfe4585e and fixed in 4.19.262 with commit b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40 Issue introduced in 5.4.136 with commit b60461696a0b0fdaf240bc365b7983698f88ded2 and fixed in 5.4.220 with commit 382ff44716603a54f5fd238ddec6a2468e217612 Issue introduced in 5.10.54 with commit 8eb225873246312660ccd68296959a7b213d0cdd and fixed in 5.10.150 with commit f65955340e0044f5c41ac799a01698ac7dee8a4e Issue introduced in 5.14 with commit 58acd10092268831e49de279446c314727101292 and fixed in 5.15.75 with commit 19d636b663e0e92951bba5fced929ca7fd25c552 Issue introduced in 5.14 with commit 58acd10092268831e49de279446c314727101292 and fixed in 5.19.17 with commit 0f90099d18e3abdc01babf686f41f63fe04939c1 Issue introduced in 5.14 with commit 58acd10092268831e49de279446c314727101292 and fixed in 6.0.3 with commit 3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d Issue introduced in 5.14 with commit 58acd10092268831e49de279446c314727101292 and fixed in 6.1 with commit 022152aaebe116a25c39818a07e175a8cd3c1e11 Issue introduced in 5.13.6 with commit c1de376423a7759bf4fa25d6a038a4c1e035c9e1 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50243 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sctp/auth.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40 https://git.kernel.org/stable/c/382ff44716603a54f5fd238ddec6a2468e217612 https://git.kernel.org/stable/c/f65955340e0044f5c41ac799a01698ac7dee8a4e https://git.kernel.org/stable/c/19d636b663e0e92951bba5fced929ca7fd25c552 https://git.kernel.org/stable/c/0f90099d18e3abdc01babf686f41f63fe04939c1 https://git.kernel.org/stable/c/3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d https://git.kernel.org/stable/c/022152aaebe116a25c39818a07e175a8cd3c1e11
Powered by blists - more mailing lists