Linux Kernel SCTP TOCTOU Out-of-Bounds Write Vulnerability

A vulnerability in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation can lead to a time-of-check to time-of-use (TOCTOU) race condition, causing an out-of-bounds write. This issue arises in the 'sctp_diag_dump' function, which does not properly manage socket locks. If the address list expands between the allocation of a buffer and its subsequent use, the function may write beyond the intended boundaries, potentially leading to memory corruption.

Impact

Exploitation of this vulnerability can cause memory corruption by allowing writes outside the allocated buffer bounds, which could lead to undefined behavior or the introduction of other vulnerabilities, such as arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the 'sctp_diag_dump' function without holding the appropriate socket lock. This can be done by triggering a diagnostic dump of SCTP endpoints while simultaneously modifying the address list, causing it to grow between the buffer allocation and the write operation. The lack of synchronization allows the function to exceed the allocated buffer limits, leading to an out-of-bounds write.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.