In the Linux kernel, the following vulnerability has been resolved:
sctp: set skstate back to CLOSED if autobind fails in sctplisten_start
In sctplistenstart() invoked by sctpinetlisten(), it should set the skstate back to CLOSED if sctpautobind() fails due to whatever reason.
Otherwise, next time when calling sctpinetlisten(), if sctpsk(sk)->reuse is already set via setsockopt(SCTPREUSEPORT), sctpsk(sk)->bindhash will be dereferenced as skstate is LISTENING, which causes a crash as bind_hash is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:sctpinetlisten+0x7f0/0xa20 net/sctp/socket.c:8617 Call Trace: <TASK> _syslistensocket net/socket.c:1883 [inline] _syslisten+0x1b7/0x230 net/socket.c:1894 _dosyslisten net/socket.c:1902 [inline]
[ { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-13e50b06" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@89bbead9d897c77d0b566349c8643030ff2abeba", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "148232871066726855505335181391498834511", "length": 804.0 }, "id": "CVE-2024-49944-1f0eda0b" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@89bbead9d897c77d0b566349c8643030ff2abeba", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-209a4178" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-2bf0657e" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f032e1dac30b3376c7d6026fb01a8c403c47a80d", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-2ea59212" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e914bf68dab88815a7ae7b7a3a5e8913c8ff14a5", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-5d719bea" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e4e2e60556c6ed00e8450b720f106a268d23062", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "159691372212706791742865911475491484938", "length": 800.0 }, "id": "CVE-2024-49944-68677d97" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a8442195e8ebd97df467ce4742980ab57edcce", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-88151df4" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8beee4d8dee76b67c75dc91fd8185d91e845c160", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-8d27cfcf" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd70c8a89ef99c3d53127fe19e51ef47c3f860fa", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-8df17ac0" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9230a59eda0878d7ecaa901d876aec76f57bd455", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-9f96aee6" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dd70c8a89ef99c3d53127fe19e51ef47c3f860fa", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-a4bf57fb" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e7a8442195e8ebd97df467ce4742980ab57edcce", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-ac791aad" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8beee4d8dee76b67c75dc91fd8185d91e845c160", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-acc35155" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e4e2e60556c6ed00e8450b720f106a268d23062", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-b47bf2e1" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f032e1dac30b3376c7d6026fb01a8c403c47a80d", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-d1805ae7" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f64cb5b4d8c872296eda0fdce3bcf099eec7aa7", "signature_type": "Function", "target": { "function": "sctp_listen_start", "file": "net/sctp/socket.c" }, "digest": { "function_hash": "340192764308073239132754915530537318992", "length": 813.0 }, "id": "CVE-2024-49944-e12ba947" }, { "signature_version": "v1", "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9230a59eda0878d7ecaa901d876aec76f57bd455", "signature_type": "Line", "target": { "file": "net/sctp/socket.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "250366263807829831131548911152579264368", "221989321307434959901179240267545238611", "330543834740390331918565775743454570036", "1593977078591308106079737039339661386", "39876205464643845543166556061119848382" ] }, "id": "CVE-2024-49944-f56ff082" } ]