CVE-2021-46929 - pub/scm/linux/kernel/git/sashal/vulns-desc - Git at Google

 The vulnerability CVE-2021-46929 is a use-after-free issue in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. The problem occurs when an association (asoc) is peeled off, and the old socket (sk) is freed after being retrieved by asoc->base.sk, but before calling lock_sock(sk). This can lead to a use-after-free scenario.

 To fix this issue, the patch uses call_rcu() to delay the endpoint free, which ensures that the endpoint is not freed until the RCU (Read-Copy Update) grace period has ended. The sock_put and ep free operations are moved into sctp_endpoint_destroy_rcu(), making it safe to hold the endpoint under rcu_read_lock in sctp_transport_traverse_process(). If sctp_endpoint_hold() returns true, it means the endpoint is still alive, and it's safe to continue dumping it. If it returns false, it means the endpoint is dead and can be freed after rcu_read_unlock.

 The vulnerability was introduced in kernel version 4.14 with commit d25adbeb0cdb and has been fixed in various kernel versions, including 4.14.261, 4.19.224, 5.4.170, 5.10.90, 5.15.13, and 5.16. The affected files are include/net/sctp/sctp.h, include/net/sctp/structs.h, net/sctp/diag.c, net/sctp/endpointola.c, and net/sctp/socket.c.

 The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue, as individual changes are never tested alone and cherry-picking individual commits is not supported.
	The vulnerability CVE-2021-46929 is a use-after-free issue in the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation. The problem occurs when an association (asoc) is peeled off, and the old socket (sk) is freed after being retrieved by asoc->base.sk, but before calling lock_sock(sk). This can lead to a use-after-free scenario.

	To fix this issue, the patch uses call_rcu() to delay the endpoint free, which ensures that the endpoint is not freed until the RCU (Read-Copy Update) grace period has ended. The sock_put and ep free operations are moved into sctp_endpoint_destroy_rcu(), making it safe to hold the endpoint under rcu_read_lock in sctp_transport_traverse_process(). If sctp_endpoint_hold() returns true, it means the endpoint is still alive, and it's safe to continue dumping it. If it returns false, it means the endpoint is dead and can be freed after rcu_read_unlock.

	The vulnerability was introduced in kernel version 4.14 with commit d25adbeb0cdb and has been fixed in various kernel versions, including 4.14.261, 4.19.224, 5.4.170, 5.10.90, 5.15.13, and 5.16. The affected files are include/net/sctp/sctp.h, include/net/sctp/structs.h, net/sctp/diag.c, net/sctp/endpointola.c, and net/sctp/socket.c.

	The Linux kernel CVE team recommends updating to the latest stable kernel version to fix this issue, as individual changes are never tested alone and cherry-picking individual commits is not supported.