Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()

[Pietro Borrello <borrello () diag uniroma1 it>]

Hi all,

We reported a type confusion in inet_diag_msg_sctpasoc_fill() in
net/sctp/diag.c, which uses a type confused pointer to return
information to userspace when issuing a list_entry() on
asoc->base.bind_addr.address_list.next when the list is empty.

The list, in theory, should never be empty, but it can be when binding
an SCTP socket with something like:
```
servaddr.sin6_family = AF_INET6;
servaddr.sin6_port = htons(0);
servaddr.sin6_scope_id = 0;
inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
```

And then request a connection to:
```
connaddr.sin6_family = AF_INET6;
connaddr.sin6_port = htons(20000);
connaddr.sin6_scope_id = if_nametoindex("lo");
inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
```

The impact of the type confusion is a KASLR leak since the `laddr.v6.sin6_addr`
is returned from the type confused pointer, which overlaps with `struct
sctp_endpoint *ep` of the `struct sctp_association`.

The fix from the maintainer prevents the connection to the socket with
unmatched scopes and will be merged soon:
https://lore.kernel.org/linux-sctp/9fcd182f1099f86c6661f3717f63712ddd1c676c.1674496737.git.marcelo.leitner%40gmail.com/T/

Best regards,
Pietro Borrello