CVE-2025-21640 - Linux Kernel SCTP Sysctl Cookie HMAC Algorithm Vulnerability Fix

A new vulnerability, CVE-2025-21640, has been identified and resolved in the Linux kernel. The issue is related to the Stream Control Transmission Protocol (SCTP) sysctl Cookie HMAC (hash-based message authentication code) Algorithm. The fix addresses an improper use of the current namespace proxy (current->nsproxy) and prevents potential null-ptr-deref situations that could occur in some cases.

In the Linux kernel, current->nsproxy is not recommended to be used for multiple reasons

- Inconsistency: Accessing the 'net' structure through 'current' can lead to inconsistencies, as it relies on information from the reader's/writer's namespace versus only that of the opener's namespace.
- Null-Pointer-Dereference: In certain scenarios, such as when the current task is exiting, current->nsproxy can be NULL. This can result in an "Oops" situation, as observed by syzbot [1] using the acct(2) syscall.

Details of the Fix

The fix for this vulnerability involves obtaining the 'net' structure from the table->data using the container_of() macro. This approach circumvents the need for using current->nsproxy and its associated issues.

It is worth mentioning that table->data could also potentially be used directly, since it is the only member needed from the 'net' structure. However, this would require changing several instances of 'net->sctp.sctp_hmac_alg' to '*data', which would increase the complexity of the fix.

The following code snippet illustrates the modification necessary for resolving CVE-2025-21640

/* Use container_of() to obtain the 'net' structure from the table->data */
struct net *net = container_of(table->data, struct net, sctp.sctp_hmac_alg);

/* Use the 'net' structure instead of current->nsproxy for accessing sctp_hmac_alg */
net->sctp.sctp_hmac_alg

Original References

For more information about this vulnerability and its resolution, you can consult the following resources:

- [1] Syzbot report: https://syzkaller.appspot.com/bug?extid=b98ac789b222b376748
- Linux kernel source code: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Exploit Details

At the time of writing, there are no known public exploits specifically targeting CVE-2025-21640. However, the risk associated with this vulnerability can be mitigated by promptly applying the available patch.

Timeline

Published on: 01/19/2025 11:15:09 UTC
Last modified on: 02/27/2025 21:59:09 UTC