oss-sec mailing list archives

Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf()

From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 14 Feb 2017 08:02:19 -0500 (EST)

Hello,

I'm not sure if now I should be posting this on os-sec@ after requesting
a CVE-ID via MITRE's web-form. Anyway.

It was reported that with Linux kernel, earlier than version v4.10-rc8, an application
may trigger a BUG_ON() in sctp_wait_for_sndbuf() if the socket TX buffer is full, a thread
is waiting on it to queue more data, and meanwhile another thread peels off the association
being used by the first thread.

References:

https://lkml.org/lkml/2017/1/30/238

https://bugzilla.redhat.com/show_bug.cgi?id=1420276

Upstream patch:

https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Current thread:

Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Henri Salo (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)