Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 10 May 2021 16:22:20 +0930
From: Alex Murray <alex.murray@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Nadav Markus <nmarkus@...oaltonetworks.com>, Or Cohen
 <orcohen@...oaltonetworks.com>, Salvatore Bonaccorso <carnil@...ian.org>
Subject: Re: CVE-2021-23133: Linux kernel: race condition in
 sctp sockets


On Mon, 2021-05-10 at 15:40:53 +0930, Salvatore Bonaccorso wrote:

> Hi Alex,
>
> On Mon, May 10, 2021 at 03:28:02PM +0930, Alex Murray wrote:
>> 
>> On Mon, 2021-05-10 at 13:54:43 +0930, Salvatore Bonaccorso wrote:
>> 
>> > Hi,
>> > 
>> > On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:
>> > > Hello,
>> > > 
>> > > This is an announcement about CVE-2021-23133 which is a 
>> > > race-condition
>> > > I found in Linux kernel sctp sockets (net/sctp/socket.c). It can
>> > > lead to kernel
>> > > privilege escalation from the context of a network service or from
>> > > an unprivileged process if certain conditions are met.
>> > > 
>> > > The bug was fixed on April 13, 2021:
>> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
>> > 
>> > It looks that additionally
>> > https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
>> > refer to CVE-2021-23133.
>> 
>> It seems b166a20b07382b8bc1dcee2a448715c9c2c81b5b got reverted in the
>> follow-up commit
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sctp/socket.c?id=01bfe5e8e428b475982a98a46cca5755726f3f7f
>> and so 34e5b01186858b36c4d7c87e1a025071e8e2401f would appear to be the
>> most correct fix from what I can tell.
>
> Ah right, I missed the revert of the original commit.
>
> Thanks for pointing that to me.

No worries - thanks for pointing out the new commit otherwise I wouldn't
have gone investigating to find the revert ;)

>
> Regards,
> Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.