oss-security - Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20210510042443.GA19253@lorien.valinor.li>
Date: Mon, 10 May 2021 06:24:43 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Nadav Markus <nmarkus@...oaltonetworks.com>,
	Or Cohen <orcohen@...oaltonetworks.com>
Subject: Re: CVE-2021-23133: Linux kernel: race condition in
 sctp sockets

Hi,

On Sun, Apr 18, 2021 at 11:41:06AM +0300, Or Cohen wrote:
> Hello,
> 
> This is an announcement about CVE-2021-23133 which is a race-condition
> I found in Linux kernel sctp sockets (net/sctp/socket.c). It can lead to kernel
> privilege escalation from the context of a network service or from
> an unprivileged process if certain conditions are met.
> 
> The bug was fixed on April 13, 2021:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b

It looks that additionally
https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
refer to CVE-2021-23133.

Are both commits necessary?

Regards,
Salvatore

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.