oss-sec mailing list archives
Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()
From: Pietro Borrello <borrello () diag uniroma1 it>
Date: Mon, 23 Jan 2023 19:39:41 +0100
Hi all, We reported a type confusion in inet_diag_msg_sctpasoc_fill() in net/sctp/diag.c, which uses a type confused pointer to return information to userspace when issuing a list_entry() on asoc->base.bind_addr.address_list.next when the list is empty. The list, in theory, should never be empty, but it can be when binding an SCTP socket with something like: ``` servaddr.sin6_family = AF_INET6; servaddr.sin6_port = htons(0); servaddr.sin6_scope_id = 0; inet_pton(AF_INET6, "::1", &servaddr.sin6_addr); ``` And then request a connection to: ``` connaddr.sin6_family = AF_INET6; connaddr.sin6_port = htons(20000); connaddr.sin6_scope_id = if_nametoindex("lo"); inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr); ``` The impact of the type confusion is a KASLR leak since the `laddr.v6.sin6_addr` is returned from the type confused pointer, which overlaps with `struct sctp_endpoint *ep` of the `struct sctp_association`. The fix from the maintainer prevents the connection to the socket with unmatched scopes and will be merged soon: https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/ Best regards, Pietro Borrello
Current thread:
- Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill() Pietro Borrello (Jan 23)