oss-sec mailing list archives
Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf()
From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 14 Feb 2017 09:14:24 -0500 (EST)
CVE-2017-5986 was assigned, thanks.
[Suggested description] It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON() in sctp_wait_for_sndbuf() if the socket TX buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread. ------------------------------------------ [Additional Information] A panic (BUG_ON()) is triggerable by a random user in userspace. There is no reproducer, but triggering it is easy: - bind&list a socket - connect to it (may use localhost) - accept the association - create a second thread - push data until sendmsg returns AGAIN - call a blocking sendmsg() - (2nd thread) do peel off operation - read some data - panic ------------------------------------------ [VulnerabilityType Other] CWE-617 - Reachable Assertion - http://cwe.mitre.org/data/definitions/617.html ------------------------------------------ [Vendor of Product] kernel.org: Linux kernel ------------------------------------------ [Affected Product Code Base] Linux kernel - fixed in v4.10-rc8 ------------------------------------------ [Affected Component] The Linux kernel, file net/sctp/socket.c, function sctp_wait_for_sndbuf() ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] To exploit vulnerability a certain code should be run from a non-privileged user and a certain race condition in the kernel code should be hit ------------------------------------------ [Reference] https://bugzilla.redhat.com/show_bug.cgi?id=1420276 https://lkml.org/lkml/2017/1/30/238 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dcab598484185dea7ec22219c76dcdd59e3cb90 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Alexander Popov <alex.popov () linux com> Use CVE-2017-5986. --- CVE Assignment Team
Current thread:
- Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Henri Salo (Feb 14)
- Re: Linux kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf() Vladis Dronov (Feb 14)