Linux Kernel SCTP Transport Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation. This issue arises in the 'sendmsg' function when the system reuses associations and transports based on the socket endpoint and message destination. A race condition can occur if another thread unbinds a transport after it has been selected for sending but before the message is dispatched. This can lead to a use-after-free situation when the transport data is accessed while being flushed from the association's outqueue. The vulnerability has been addressed by restoring a 'dead' tag to the transport structure, allowing the system to detect and handle deleted transports appropriately, preventing the use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing a read of freed memory, which could potentially be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a scenario where a transport is selected for sending a message, but another thread unbinds the transport before the message is sent. This can be done by filling the send buffer, which temporarily releases the socket lock, allowing the transport to be unbound and creating a race condition that leads to the use-after-free vulnerability.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.