Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 5 Nov 2023 18:40:29 +0100
From: Solar Designer <>
To: Pietro Borrello <>
Subject: Re: Linux Kernel: sctp: KASLR leak in inet_diag_msg_sctpasoc_fill()

On Mon, Jan 23, 2023 at 07:39:41PM +0100, Pietro Borrello wrote:
> We reported a type confusion in inet_diag_msg_sctpasoc_fill() in
> net/sctp/diag.c, which uses a type confused pointer to return
> information to userspace when issuing a list_entry() on
> asoc-> when the list is empty.
> The list, in theory, should never be empty, but it can be when binding
> an SCTP socket with something like:
> ```
> servaddr.sin6_family = AF_INET6;
> servaddr.sin6_port = htons(0);
> servaddr.sin6_scope_id = 0;
> inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
> ```
> And then request a connection to:
> ```
> connaddr.sin6_family = AF_INET6;
> connaddr.sin6_port = htons(20000);
> connaddr.sin6_scope_id = if_nametoindex("lo");
> inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
> ```
> The impact of the type confusion is a KASLR leak since the `laddr.v6.sin6_addr`
> is returned from the type confused pointer, which overlaps with `struct
> sctp_endpoint *ep` of the `struct sctp_association`.
> The fix from the maintainer prevents the connection to the socket with
> unmatched scopes and will be merged soon:

This was assigned CVE-2023-1074:

CVE-2023-1074 - KASLR Leak in inet_diag_msg_sctpasoc_fill()


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.