Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets

[Alex Murray <alex.murray () canonical com>]

On Mon, 2021-05-10 at 15:40:53 +0930, Salvatore Bonaccorso wrote:

> Hi Alex,
>
> On Mon, May 10, 2021 at 03:28:02PM +0930, Alex Murray wrote:
> > On Mon, 2021-05-10 at 13:54:43 +0930, Salvatore Bonaccorso wrote:
> >
> > > Hi,
> > > 
> > > On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:
> > > > Hello,
> > > > 
> > > > This is an announcement about CVE-2021-23133 which is a 
> > > > race-condition
> > > > I found in Linux kernel sctp sockets (net/sctp/socket.c). It can
> > > > lead to kernel
> > > > privilege escalation from the context of a network service or from
> > > > an unprivileged process if certain conditions are met.
> > > > 
> > > > The bug was fixed on April 13, 2021:
> > > > 
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
> > > 
> > > It looks that additionally
> > > https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
> > > refer to CVE-2021-23133.
> >
> > It seems b166a20b07382b8bc1dcee2a448715c9c2c81b5b got reverted in the
> > follow-up commit
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sctp/socket.c?id=01bfe5e8e428b475982a98a46cca5755726f3f7f
> > and so 34e5b01186858b36c4d7c87e1a025071e8e2401f would appear to be the
> > most correct fix from what I can tell.
>
> Ah right, I missed the revert of the original commit.
>
> Thanks for pointing that to me.

No worries - thanks for pointing out the new commit otherwise I wouldn't
have gone investigating to find the revert ;)

> Regards,
> Salvatore