Bug 2187953 (CVE-2023-2177)

Summary: CVE-2023-2177 Kernel: NULL pointer dereference problem in sctp_sched_dequeue_common
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lzampier, mcascell, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, sgrubb, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.19-rc17 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference issue was found in the SCTP network protocol in net/sctp/stream_sched.c in the Linux kernel. If stream_in allocation fails, stream_out is freed, which would be accessed further. This flaw allows a local user to crash the system or potentially cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-19 13:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2125474, 2127771, 2134892, 2134900, 2224520, 2225150, 2231819, 2231820, 2231821, 2231822    
Bug Blocks: 2158739    

Description Rohit Keshri 2023-04-19 08:18:05 UTC 
A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux before 5.18. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.

Affected component: stcp protocol

References:
https://lore.kernel.org/netdev/CADvbK_dWMO0XdAf950Q14pUv99ahS1MRnOtppvosU2w33sO=kw@mail.gmail.com/T/
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=181d8d2066c0
Comment 2 Product Security DevOps Team 2023-04-19 13:35:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-2177
Comment 12 Mauro Matteo Cascella 2023-08-14 09:59:41 UTC 
This issue was fixed upstream in kernel version 5.19. The kernel packages as shipped in Red Hat Enterprise Linux 8 and 9 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2023:2951

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2023:2736

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2458

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2148
Comment 13 errata-xmlrpc 2023-11-21 11:42:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7398 https://access.redhat.com/errata/RHSA-2023:7398