CVE-2024-53139 - sctp: fix possible UAF in sctp_v6_available() in the Linux Kernel

A vulnerability has been discovered and resolved in the Linux kernel, specifically in the sctp_v6_available() function. This vulnerability affects the SCTP (Stream Control Transmission Protocol) and could lead to a Use-After-Free (UAF) bug.

Details

A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that the sctp_v6_available() function is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding RCU (Read-Copy-Update) lock. This situation could lead to a UAF scenario, which might result in unpredictable behavior or crashes.

Here's a snapshot of the relevant part of the code from the Linux Kernel source

sctp_v6_available(struct sctp_sock *sp, struct sctp_transport *transport)
{
  int err;
  struct net *net = sock_net(&sp->inet.sk);
  struct net_device *dev = dev_get_by_index_rcu(net, transport->dst_parms.rcu); // Call without RCU lock held
  bool saw_loop = false;

  if (!dev)
    return -ENODEV;

  err = ipv6_chk_addr(net, &transport->saddr.v6.sin6_addr, dev, false); // Call without RCU lock held
  if (err == 1)
    err = ;
  else if (err == -EADDRNOTAVAIL && transportation->dst->flags & RTF_LOCAL)
    err = ;

  return err;
}

The RCU list is traversed in non-reader section.

This could lead to potential issues with the SCTP implementation in the Linux kernel, causing unexpected behavior during operation.

For more details, please refer to the following resources

- Original Report [1]: https://lore.kernel.org/linux-sctp/20210626082934.1627521-1-xavier.promer.on@gmail.com/
- Linux Kernel Source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/
- Stream Control Transmission Protocol (SCTP): https://tools.ietf.org/html/rfc496

Mitigation and Exploit Details

The resolution of this vulnerability involves holding the RCU lock while making the dev_get_by_index_rcu() and ipv6_chk_addr() calls within the sctp_v6_available() function.

An updated version of the Linux kernel should be applied that includes the necessary patches to protect against this vulnerability. As always, it is advisable to keep your systems up-to-date with the latest security patches available.

Timeline

Published on: 12/04/2024 15:15:15 UTC
Last modified on: 12/19/2024 09:40:08 UTC