Date: Mon, 23 Jan 2023 19:39:41 +0100 From: Pietro Borrello <borrello@...g.uniroma1.it> To: oss-security@...ts.openwall.com Subject: Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill() Hi all, We reported a type confusion in inet_diag_msg_sctpasoc_fill() in net/sctp/diag.c, which uses a type confused pointer to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty. The list, in theory, should never be empty, but it can be when binding an SCTP socket with something like: ``` servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); ``` And then request a connection to: ``` connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); ``` The impact of the type confusion is a KASLR leak since the `laddr.v6.sin6_addr` is returned from the type confused pointer, which overlaps with `struct sctp_endpoint *ep` of the `struct sctp_association`. The fix from the maintainer prevents the connection to the socket with unmatched scopes and will be merged soon: https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/ Best regards, Pietro Borrello
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.