![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf()
From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 14 Feb 2017 08:02:19 -0500 (EST)
Hello, I'm not sure if now I should be posting this on os-sec@ after requesting a CVE-ID via MITRE's web-form. Anyway. It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON() in sctp_wait_for_sndbuf() if the socket TX buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. References: https://lkml.org/lkml/2017/1/30/238 https://bugzilla.redhat.com/show_bug.cgi?id=1420276 Upstream patch: https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Henri Salo (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)