Bug 2401468 (CVE-2023-53590) - CVE-2023-53590 kernel: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop
Summary: CVE-2023-53590 kernel: sctp: add a refcnt in sctp_stream_priorities to avoid ...
Keywords:
Status: NEW
Alias: CVE-2023-53590
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-04 16:02 UTC by OSIDB Bzimport
Modified: 2025-10-06 17:05 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-04 16:02:06 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop

With this refcnt added in sctp_stream_priorities, we don't need to
traverse all streams to check if the prio is used by other streams
when freeing one stream's prio in sctp_sched_prio_free_sid(). This
can avoid a nested loop (up to 65535 * 65535), which may cause a
stuck as Ying reported:

    watchdog: BUG: soft lockup - CPU#23 stuck for 26s! [ksoftirqd/23:136]
    Call Trace:
     <TASK>
     sctp_sched_prio_free_sid+0xab/0x100 [sctp]
     sctp_stream_free_ext+0x64/0xa0 [sctp]
     sctp_stream_free+0x31/0x50 [sctp]
     sctp_association_free+0xa5/0x200 [sctp]

Note that it doesn't need to use refcount_t type for this counter,
as its accessing is always protected under the sock lock.

v1->v2:
 - add a check in sctp_sched_prio_set to avoid the possible prio_head
   refcnt overflow.
Comment 1 Alexander B 2025-10-06 17:01:50 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100427-CVE-2023-53590-9f1d@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.