Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Jan 2023 19:39:41 +0100
From: Pietro Borrello <>
Subject: Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()

Hi all,

We reported a type confusion in inet_diag_msg_sctpasoc_fill() in
net/sctp/diag.c, which uses a type confused pointer to return
information to userspace when issuing a list_entry() on
asoc-> when the list is empty.

The list, in theory, should never be empty, but it can be when binding
an SCTP socket with something like:
servaddr.sin6_family = AF_INET6;
servaddr.sin6_port = htons(0);
servaddr.sin6_scope_id = 0;
inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);

And then request a connection to:
connaddr.sin6_family = AF_INET6;
connaddr.sin6_port = htons(20000);
connaddr.sin6_scope_id = if_nametoindex("lo");
inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);

The impact of the type confusion is a KASLR leak since the `laddr.v6.sin6_addr`
is returned from the type confused pointer, which overlaps with `struct
sctp_endpoint *ep` of the `struct sctp_association`.

The fix from the maintainer prevents the connection to the socket with
unmatched scopes and will be merged soon:

Best regards,
Pietro Borrello

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.