CVE-2025-23142

Summary

In the Linux kernel, the following vulnerability has been resolved:

sctp: detect and prevent references to a freed transport in sendmsg

sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent.

There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly unbinding an address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have been set up and before the message is sent. This can happen if the send buffer is full, during the period when the sender thread temporarily releases the socket lock in sctp_wait_for_sndbuf().

This causes the access to the transport data in sctp_outq_select_transport(), when the association outqueue is flushed, to result in a use-after-free read.

This change avoids this scenario by having sctp_transport_free() signal the freeing of the transport, tagging it as "dead". In order to do this, the patch restores the "dead" bit in struct sctp_transport, which was removed in commit 47faa1e4c50e ("sctp: remove the dead field of sctp_transport").

Then, in the scenario where the sender thread has released the socket lock in sctp_wait_for_sndbuf(), the bit is checked again after re-acquiring the socket lock to detect the deletion. This is done while holding a reference to the transport to prevent it from being freed in the process.

If the transport was deleted while the socket lock was relinquished, sctp_sendmsg_to_asoc() will return -EAGAIN to let userspace retry the send.

The bug was found by a private syzbot instance (see the error report [1] and the C reproducer that triggers it [2]).

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 547762250220325d350d0917a7231480e0f4142baffected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 3257386be6a7eb8a8bfc9cbfb746df4eb4fc70e8affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 0f7df4899299ce4662e5f95badb9dbc57cc37fa5affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 7a63f4fb0efb4e69efd990cbb740a848679ec4b0affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < c6fefcb71d246baaf3bacdad1af7ff50ebcfe652affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 9e7c37fadb3be1fc33073fcf10aa96d166caa697affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 5bc83bdf5f5b8010d1ca5a4555537e62413ab4e2affected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < 2e5068b7e0ae0a54f6cfd03a2f80977da657f1eeaffected
LinuxLinuxdf132eff463873e14e019a07f387b4d577d6d1f9 < f1a69a940de58b16e8249dff26f74c8cc59b32beaffected
LinuxLinux26e51e5287eed4d96ea66a3da95429f42940f013affected
LinuxLinux8b97e045bd6d37f96f161e4d371ae174148e1587affected
LinuxLinuxe044554e97e812eb257d073bcc130e0ea653858faffected
LinuxLinux8376fdc999be008f0e9918db52f1ed8c08f5a1c9affected
LinuxLinuxcd947138e8c31e8cfcd489c12e9b97271beb6e79affected
LinuxLinux3.18.128 < 3.19affected
LinuxLinux4.4.166 < 4.5affected
LinuxLinux4.9.142 < 4.10affected
LinuxLinux4.14.85 < 4.15affected
LinuxLinux4.19.6 < 4.20affected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux5.4.293 <= 5.4.*unaffected
LinuxLinux5.10.237 <= 5.10.*unaffected
LinuxLinux5.15.181 <= 5.15.*unaffected
LinuxLinux6.1.135 <= 6.1.*unaffected
LinuxLinux6.6.88 <= 6.6.*unaffected
LinuxLinux6.12.24 <= 6.12.*unaffected
LinuxLinux6.13.12 <= 6.13.*unaffected
LinuxLinux6.14.3 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References