CVE-2022-50243

Summary

In the Linux kernel, the following vulnerability has been resolved:

sctp: handle the error returned from sctp_auth_asoc_init_active_key

When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot:

sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:734

This patch is to fix it by not replacing the sh_key when it returns errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). For sctp_auth_set_active_key(), old active_key_id will be set back to asoc->active_key_id when the same thing happens.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux50b57223da67653c61e405d0a7592355cfe4585e < b8fa99a3a11bdd77fef6b4a97f1021eb30b5ba40affected
LinuxLinuxb60461696a0b0fdaf240bc365b7983698f88ded2 < 382ff44716603a54f5fd238ddec6a2468e217612affected
LinuxLinux8eb225873246312660ccd68296959a7b213d0cdd < f65955340e0044f5c41ac799a01698ac7dee8a4eaffected
LinuxLinux58acd10092268831e49de279446c314727101292 < 19d636b663e0e92951bba5fced929ca7fd25c552affected
LinuxLinux58acd10092268831e49de279446c314727101292 < 0f90099d18e3abdc01babf686f41f63fe04939c1affected
LinuxLinux58acd10092268831e49de279446c314727101292 < 3b0fcf5e29c0940e1169ce9c44f73edd98bdf12daffected
LinuxLinux58acd10092268831e49de279446c314727101292 < 022152aaebe116a25c39818a07e175a8cd3c1e11affected
LinuxLinuxc1de376423a7759bf4fa25d6a038a4c1e035c9e1affected
LinuxLinux4.19.199 < 4.19.262affected
LinuxLinux5.4.136 < 5.4.220affected
LinuxLinux5.10.54 < 5.10.150affected
LinuxLinux5.13.6 < 5.14affected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux4.19.262 <= 4.19.*unaffected
LinuxLinux5.4.220 <= 5.4.*unaffected
LinuxLinux5.10.150 <= 5.10.*unaffected
LinuxLinux5.15.75 <= 5.15.*unaffected
LinuxLinux5.19.17 <= 5.19.*unaffected
LinuxLinux6.0.3 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References