CVE-2025-21637: Linux Kernel SCTP Sysctl Vulnerability Resolved - Avoiding Usage of current->nsproxy

In this long-read post, we will discuss the Linux kernel vulnerability (CVE-2025-21637) related to the SCTP (Stream Control Transmission Protocol) sysctl udp_port. The kernel developers have patched the vulnerability by avoiding the use of 'current->nsproxy' and by obtaining the 'net' structure from the table->data using container_of().

Background

SCTP is a transport layer protocol, which offers more robust, faster, and more secure data transmission than other protocols like TCP or UDP. While working on the SCTP sysctl udp_port, the use of 'current->nsproxy' resulted in certain issues such as inconsistency and null pointer dereference exceptions.

As noted in a previous commit of this series, using the 'net' structure via 'current' is not recommended due to the following reasons:

1. Inconsistency: Information is fetched from either the reader's/writer's net namespace or only the opener's net namespace, causing inconsistency in the code.

2. current->nsproxy can be NULL in some cases, resulting in a null-ptr-deref (or 'Oops') exception. This occurs when the current task is exiting, as spotted by syzbot [1] using acct(2).

Solution

The kernel developers have developed a fix for this vulnerability by obtaining the 'net' structure from the table->data using container_of(). This not only solves the inconsistency issue but also eliminates the risk of null pointer dereference exceptions.

The usage of table->data, however, would increase the size of this fix, since the 'sctp.ctl_sock' still needs to be retrieved from the 'net' structure.

Code Snippet

/* Instead of using current->nsproxy, use the table->data and container_of() */

- struct net *net = current->nsproxy->net_ns;

+ struct net *net = container_of(table->data, struct net, sctp.sysctl_udp_encap_port);

  sock = net->sctp.ctl_sock;

Original References

1. syzbot report of the initial issue
2. Commit in Linux kernel source

Exploit Details

An attacker could exploit this vulnerability by causing a null pointer dereference exception ('Oops') in the kernel, which could lead to denial-of-service (DoS) situations or potentially even remote code execution. By avoiding the use of 'current->nsproxy' and obtaining the 'net' structure from table->data using container_of(), the kernel developers have resolved this vulnerability, making the kernel more robust and secure.

Timeline

Published on: 01/19/2025 11:15:09 UTC
Last modified on: 02/27/2025 22:01:21 UTC