Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <993560327.6397475.1452519141475.JavaMail.zimbra@redhat.com>
Date: Mon, 11 Jan 2016 08:32:21 -0500 (EST)
From: Wade Mealing <wmealing@...hat.com>
To: OSS Security List <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: CVE Request: Linux kernel -  SCTP denial of service during
 heartbeat timeout functions.

Gday all,

>From the patch[1] commit comments:

--
A case can occur when sctp_accept() is called by the user during
a heartbeat timeout event after the 4-way handshake.  Since
sctp_assoc_migrate() changes both assoc->base.sk and assoc->ep, the
bh_sock_lock in sctp_generate_heartbeat_event() will be taken with
the listening socket but released with the new association socket.
The result is a deadlock on any future attempts to take the listening
socket lock.

Note that this race can occur with other SCTP timeouts that take
the bh_lock_sock() in the event sctp_accept() is called.
---

TLDR: ensure that the lock on the socket taken is also the
same one that is released by saving a copy of the socket 
before entering the heartbeat event critical section.

I'd like a CVE for this issue. 

Thanks !

Wade Mealing
Red Hat Product Security

Resources:
https://bugzilla.redhat.com/show_bug.cgi?id=1297389
https://patchwork.ozlabs.org/patch/522412/

Patch commit notes (net-next.git):
[1] https://kernel.googlesource.com/pub/scm/linux/kernel/git/horms/ipvs/+/635682a14427d241bab7bbdeebb48a7d7b91638e

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.