Date: Mon, 11 Jan 2016 08:32:21 -0500 (EST) From: Wade Mealing <wmealing@...hat.com> To: OSS Security List <oss-security@...ts.openwall.com> Cc: cve-assign@...re.org Subject: CVE Request: Linux kernel - SCTP denial of service during heartbeat timeout functions. Gday all, >From the patch commit comments: -- A case can occur when sctp_accept() is called by the user during a heartbeat timeout event after the 4-way handshake. Since sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the bh_sock_lock in sctp_generate_heartbeat_event() will be taken with the listening socket but released with the new association socket. The result is a deadlock on any future attempts to take the listening socket lock. Note that this race can occur with other SCTP timeouts that take the bh_lock_sock() in the event sctp_accept() is called. --- TLDR: ensure that the lock on the socket taken is also the same one that is released by saving a copy of the socket before entering the heartbeat event critical section. I'd like a CVE for this issue. Thanks ! Wade Mealing Red Hat Product Security Resources: https://bugzilla.redhat.com/show_bug.cgi?id=1297389 https://patchwork.ozlabs.org/patch/522412/ Patch commit notes (net-next.git):  https://kernel.googlesource.com/pub/scm/linux/kernel/git/horms/ipvs/+/635682a14427d241bab7bbdeebb48a7d7b91638e
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.