{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-46929","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-25T13:45:52.720Z","datePublished":"2024-02-27T09:43:58.047Z","dateUpdated":"2025-05-04T07:00:32.322Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:00:32.322Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: use call_rcu to free endpoint\n\nThis patch is to delay the endpoint free by calling call_rcu() to fix\nanother use-after-free issue in sctp_sock_dump():\n\n  BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20\n  Call Trace:\n    __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218\n    lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844\n    __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]\n    _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168\n    spin_lock_bh include/linux/spinlock.h:334 [inline]\n    __lock_sock+0x203/0x350 net/core/sock.c:2253\n    lock_sock_nested+0xfe/0x120 net/core/sock.c:2774\n    lock_sock include/net/sock.h:1492 [inline]\n    sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324\n    sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091\n    sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527\n    __inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049\n    inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065\n    netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244\n    __netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352\n    netlink_dump_start include/linux/netlink.h:216 [inline]\n    inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170\n    __sock_diag_cmd net/core/sock_diag.c:232 [inline]\n    sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263\n    netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477\n    sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274\n\nThis issue occurs when asoc is peeled off and the old sk is freed after\ngetting it by asoc->base.sk and before calling lock_sock(sk).\n\nTo prevent the sk free, as a holder of the sk, ep should be alive when\ncalling lock_sock(). This patch uses call_rcu() and moves sock_put and\nep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to\nhold the ep under rcu_read_lock in sctp_transport_traverse_process().\n\nIf sctp_endpoint_hold() returns true, it means this ep is still alive\nand we have held it and can continue to dump it; If it returns false,\nit means this ep is dead and can be freed after rcu_read_unlock, and\nwe should skip it.\n\nIn sctp_sock_dump(), after locking the sk, if this ep is different from\ntsp->asoc->ep, it means during this dumping, this asoc was peeled off\nbefore calling lock_sock(), and the sk should be skipped; If this ep is\nthe same with tsp->asoc->ep, it means no peeloff happens on this asoc,\nand due to lock_sock, no peeloff will happen either until release_sock.\n\nNote that delaying endpoint free won't delay the port release, as the\nport release happens in sctp_endpoint_destroy() before calling call_rcu().\nAlso, freeing endpoint by call_rcu() makes it safe to access the sk by\nasoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().\n\nThanks Jones to bring this issue up.\n\nv1->v2:\n  - improve the changelog.\n  - add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sctp/sctp.h","include/net/sctp/structs.h","net/sctp/diag.c","net/sctp/endpointola.c","net/sctp/socket.c"],"versions":[{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e","status":"affected","versionType":"git"},{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec","status":"affected","versionType":"git"},{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"831de271452b87657fcf8d715ee20519b79caef5","status":"affected","versionType":"git"},{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"769d14abd35e0e153b5149c3e1e989a9d719e3ff","status":"affected","versionType":"git"},{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"75799e71df1da11394740b43ae5686646179561d","status":"affected","versionType":"git"},{"version":"d25adbeb0cdb860fb39e09cdd025e9cfc954c5ab","lessThan":"5ec7d18d1813a5bead0b495045606c93873aecbb","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sctp/sctp.h","include/net/sctp/structs.h","net/sctp/diag.c","net/sctp/endpointola.c","net/sctp/socket.c"],"versions":[{"version":"4.14","status":"affected"},{"version":"0","lessThan":"4.14","status":"unaffected","versionType":"semver"},{"version":"4.14.261","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.224","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.170","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.90","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.13","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"4.14.261"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"4.19.224"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.4.170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.10.90"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.15.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e"},{"url":"https://git.kernel.org/stable/c/af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec"},{"url":"https://git.kernel.org/stable/c/831de271452b87657fcf8d715ee20519b79caef5"},{"url":"https://git.kernel.org/stable/c/769d14abd35e0e153b5149c3e1e989a9d719e3ff"},{"url":"https://git.kernel.org/stable/c/75799e71df1da11394740b43ae5686646179561d"},{"url":"https://git.kernel.org/stable/c/5ec7d18d1813a5bead0b495045606c93873aecbb"}],"title":"sctp: use call_rcu to free endpoint","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:17:42.985Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/8873140f95d4977bf37e4cf0d5c5e3f6e34cdd3e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/af6e6e58f7ebf86b4e7201694b1e4f3a62cbc3ec","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/831de271452b87657fcf8d715ee20519b79caef5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/769d14abd35e0e153b5149c3e1e989a9d719e3ff","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/75799e71df1da11394740b43ae5686646179561d","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5ec7d18d1813a5bead0b495045606c93873aecbb","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-46929","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:02:00.945845Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:20.539Z"}}]}}