Linux Kernel SCTP Association Handling Vulnerability in sctp_sendmsg Function

A vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically within the sctp_sendmsg function. This issue arises when the SCTP_SENDALL flag is used, as the function iterates over associations in a way that can lead to a use-after-free condition or type confusion. The problem occurs because sctp_sendmsg_to_asoc can drop the socket lock, allowing another thread to modify the association list. If an association is peeled off and the new socket is closed, the original function can access a freed association, leading to potential exploitation. This vulnerability has been addressed by revalidating the association cursor after the sctp_sendmsg_to_asoc call, ensuring that the function only processes valid associations.

Impact

Exploitation of this vulnerability can result in a use-after-free condition or type confusion, both of which can be exploited to execute arbitrary code.

Reproduction

To reproduce this vulnerability, send a message using the SCTP protocol with the SCTP_SENDALL flag enabled. While the message is being sent, peel off an association from the endpoint's association list and close the socket. This will create a race condition where the sctp_sendmsg function accesses a stale association that has already been freed.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.