Bug 2320496 (CVE-2024-49944) - CVE-2024-49944 kernel: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
Summary: CVE-2024-49944 kernel: sctp: set sk_state back to CLOSED if autobind fails in...
Keywords:
Status: NEW
Alias: CVE-2024-49944
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2320977
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-21 19:05 UTC by OSIDB Bzimport
Modified: 2024-10-22 19:13 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-10-21 19:05:53 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start

In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.

Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.

  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
  Call Trace:
   <TASK>
   __sys_listen_socket net/socket.c:1883 [inline]
   __sys_listen+0x1b7/0x230 net/socket.c:1894
   __do_sys_listen net/socket.c:1902 [inline]
Comment 1 Michal Findra 2024-10-22 13:00:53 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024102128-CVE-2024-49944-240a@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.