7.8

CVE-2022-50243

sctp: handle the error returned from sctp_auth_asoc_init_active_key

In the Linux kernel, the following vulnerability has been resolved:

sctp: handle the error returned from sctp_auth_asoc_init_active_key

When it returns an error from sctp_auth_asoc_init_active_key(), the
active_key is actually not updated. The old sh_key will be freeed
while it's still used as active key in asoc. Then an use-after-free
will be triggered when sending patckets, as found by syzbot:

  sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
  sctp_set_owner_w net/sctp/socket.c:132 [inline]
  sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
  sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
  inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
  sock_sendmsg_nosec net/socket.c:714 [inline]
  sock_sendmsg+0xcf/0x120 net/socket.c:734

This patch is to fix it by not replacing the sh_key when it returns
errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
For sctp_auth_set_active_key(), old active_key_id will be set back
to asoc->active_key_id when the same thing happens.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.19.199 < 4.19.262
LinuxLinux Kernel Version >= 5.4.136 < 5.4.220
LinuxLinux Kernel Version >= 5.10.54 < 5.10.150
LinuxLinux Kernel Version >= 5.13.6 < 5.14
LinuxLinux Kernel Version >= 5.14.1 < 5.15.75
LinuxLinux Kernel Version >= 5.16 < 5.19.17
LinuxLinux Kernel Version >= 6.0 < 6.0.3
LinuxLinux Kernel Version5.14 Update-
LinuxLinux Kernel Version5.14 Updaterc3
LinuxLinux Kernel Version5.14 Updaterc4
LinuxLinux Kernel Version5.14 Updaterc5
LinuxLinux Kernel Version5.14 Updaterc6
LinuxLinux Kernel Version5.14 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.046
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40
Patch
https://git.kernel.org/stable/c/382ff44716603a54f5fd238ddec6a2468e217612
Patch
https://git.kernel.org/stable/c/f65955340e0044f5c41ac799a01698ac7dee8a4e
Patch
https://git.kernel.org/stable/c/19d636b663e0e92951bba5fced929ca7fd25c552
Patch
https://git.kernel.org/stable/c/0f90099d18e3abdc01babf686f41f63fe04939c1
Patch
https://git.kernel.org/stable/c/3b0fcf5e29c0940e1169ce9c44f73edd98bdf12d
Patch
https://git.kernel.org/stable/c/022152aaebe116a25c39818a07e175a8cd3c1e11
Patch