| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091627-CVE-2023-53296-9947@gregkh> Date: Tue, 16 Sep 2025 10:11:46 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53296: sctp: check send stream number after wait_for_sndbuf From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: sctp: check send stream number after wait_for_sndbuf This patch fixes a corner case where the asoc out stream count may change after wait_for_sndbuf. When the main thread in the client starts a connection, if its out stream count is set to N while the in stream count in the server is set to N - 2, another thread in the client keeps sending the msgs with stream number N - 1, and waits for sndbuf before processing INIT_ACK. However, after processing INIT_ACK, the out stream count in the client is shrunk to N - 2, the same to the in stream count in the server. The crash occurs when the thread waiting for sndbuf is awake and sends the msg in a non-existing stream(N - 1), the call trace is as below: KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] Call Trace: <TASK> sctp_cmd_send_msg net/sctp/sm_sideeffect.c:1114 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1777 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x197d/0x5310 net/sctp/sm_sideeffect.c:1170 sctp_primitive_SEND+0x9f/0xc0 net/sctp/primitive.c:163 sctp_sendmsg_to_asoc+0x10eb/0x1a30 net/sctp/socket.c:1868 sctp_sendmsg+0x8d4/0x1d90 net/sctp/socket.c:2026 inet_sendmsg+0x9d/0xe0 net/ipv4/af_inet.c:825 sock_sendmsg_nosec net/socket.c:722 [inline] sock_sendmsg+0xde/0x190 net/socket.c:745 The fix is to add an unlikely check for the send stream number after the thread wakes up from the wait_for_sndbuf. The Linux kernel CVE team has assigned CVE-2023-53296 to this issue. Affected and fixed versions =========================== Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 4.19.281 with commit 9346a1a21142357972a6f466ba6275ddc54b04ac Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 5.4.241 with commit 0443fff49d6352160c200064156c25898bd9f58c Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 5.10.178 with commit b4b6dfad41aaae9e36e44327b18d5cf4b20dd2ce Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 5.15.107 with commit 667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 6.1.24 with commit d2128636b303aa9cf065055402ee6697409a8837 Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 6.2.11 with commit a615e7270318fa0b98bf1ff38daf6cf52d840312 Issue introduced in 4.15 with commit 5bbbbe32a43199c2b9ea5ea66fab6241c64beb51 and fixed in 6.3 with commit 2584024b23552c00d95b50255e47bd18d306d31a Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53296 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/sctp/socket.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/9346a1a21142357972a6f466ba6275ddc54b04ac https://git.kernel.org/stable/c/0443fff49d6352160c200064156c25898bd9f58c https://git.kernel.org/stable/c/b4b6dfad41aaae9e36e44327b18d5cf4b20dd2ce https://git.kernel.org/stable/c/667eb99cf7c15fe5b0ecefe75cf658e20ef20c9f https://git.kernel.org/stable/c/d2128636b303aa9cf065055402ee6697409a8837 https://git.kernel.org/stable/c/a615e7270318fa0b98bf1ff38daf6cf52d840312 https://git.kernel.org/stable/c/2584024b23552c00d95b50255e47bd18d306d31a
Powered by blists - more mailing lists