CVE-2025-21639: Linux kernel vulnerability resolved in sctp sysctl rto_min/max

In the Linux kernel, a vulnerability has recently been resolved. The fix addresses the issue within the Stream Control Transmission Protocol (SCTP) sysctl rto_min and rto_max. This issue has been known to cause inconsistencies and even crashes in certain scenarios. Linux kernel developers have provided a solution that eliminates these problems by avoiding the use of 'current->nsproxy' and obtaining the 'net' structure through other means. Let's take a deeper look at the vulnerability, the origin, the fix, and how you can ensure your systems are secure.

The Vulnerability

In the Linux kernel, the 'current->nsproxy' value can sometimes be NULL. This can happen, for example, when the current task is exiting. In such cases, a null-ptr-deref 'Oops' can occur, as spotted by syzbot [1] when using acct(2). The problem is located in the sctp sysctl rto_min/max, where the 'net' structure is obtained via 'current'.

The following concerns arise from using the 'net' structure via 'current'

* Inconsistency: The reader's/writer's netns is being used to get info, instead of only relying on the opener's netns.
* As previously mentioned, 'current->nsproxy' can be NULL, resulting in the kernel crashing ('Oops').

The Fix

The solution for this issue takes a different approach to obtain the 'net' structure. Instead of using 'current->nsproxy,' the 'net' structure can be obtained by using container_of() on the table->data.

Here's a code snippet to demonstrate the resolution

/* Before */
net = current->nsproxy->net_ns;

/* After */
net = container_of(table->data, struct net, sctp.rto_min);

This fix solves the potential problems of inconsistency and crashing but comes with a trade-off. The table->data could also be used directly, as this is the sole member needed from the 'net' structure. However, using '*data' would increase the size of the fix. To keep it simpler, the fix relies on using container_of() instead.

Exploit Details

A malicious user could potentially trigger the 'Oops' kernel crash due to the null-pointer dereference in 'current->nsproxy.' Given the right conditions and knowledge of the vulnerability, an attacker could exploit this issue to cause denial of service attacks on the targeted systems.

Original References

[1] syzbot - Bug report and analysis

Keeping Your Systems Secure

To ensure your systems are protected from the CVE-2025-21639 vulnerability, you should update your Linux kernel to the latest version that includes the fix. This will ensure that your applications and services running on those systems are safe from potential exploitation by attackers aware of the vulnerability.

Stay updated on other security vulnerabilities and make sure to patch your systems regularly to keep them secure.

Timeline

Published on: 01/19/2025 11:15:09 UTC
Last modified on: 02/27/2025 22:01:10 UTC