Re: [PATCH net 1/1] sctp: avoid auth_enable sysctl UAF during netns teardown
From: Xin Long <lucien.xin@gmail.com>
Date: 2026-06-29 14:05:11
Also in:
linux-sctp
On Sun, Jun 28, 2026 at 4:40 AM Ren Wei [off-list ref] wrote:
quoted hunk ↗ jump to hunk
From: Zhiling Zou <redacted> proc_sctp_do_auth() updates the SCTP control socket after changing net.sctp.auth_enable. The handler gets the per-net SCTP state from ctl->data, so an already opened sysctl file can still target a network namespace while that namespace is being torn down. SCTP unregisters its per-net sysctls from sctp_defaults_exit(), but sctp_ctrlsock_exit() runs earlier because the control-socket pernet ops are registered after the defaults ops. This leaves a teardown window where auth_enable is still writable after inet_ctl_sock_destroy() has released net->sctp.ctl_sock, leading to a use-after-free when the sysctl handler locks and dereferences the stale socket. Unregister the per-net SCTP sysctl table before destroying the control socket. Make sctp_sysctl_net_unregister() tolerate a missing header and clear the saved pointer so the later defaults exit path and init-error path can safely share the same unregister helper. Fixes: 15649fd5415e ("sctp: sysctl: auth_enable: avoid using current->nsproxy") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <redacted> Reported-by: Yifan Wu <redacted> Reported-by: Juefei Pu <redacted> Reported-by: Xin Liu <redacted> Assisted-by: Codex:gpt-5.4 Signed-off-by: Zhiling Zou <redacted> Signed-off-by: Ren Wei <redacted> --- net/sctp/protocol.c | 3 +++ net/sctp/sysctl.c | 9 +++++++-- 2 files changed, 10 insertions(+), 2 deletions(-)diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index 587b0017a67d..ae381d304bd5 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c@@ -1457,8 +1457,11 @@ static int __net_init sctp_ctrlsock_init(struct net *net) static void __net_exit sctp_ctrlsock_exit(struct net *net) { + sctp_sysctl_net_unregister(net); + /* Free the control endpoint. */ inet_ctl_sock_destroy(net->sctp.ctl_sock); + net->sctp.ctl_sock = NULL; } static struct pernet_operations sctp_ctrlsock_ops = {diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 15e7db9a3ab2..fca840484ebf 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c@@ -615,11 +615,16 @@ int sctp_sysctl_net_register(struct net *net) void sctp_sysctl_net_unregister(struct net *net) { + struct ctl_table_header *header = net->sctp.sysctl_header; const struct ctl_table *table; - table = net->sctp.sysctl_header->ctl_table_arg; - unregister_net_sysctl_table(net->sctp.sysctl_header); + if (!header) + return; + + table = header->ctl_table_arg; + unregister_net_sysctl_table(header); kfree(table); + net->sctp.sysctl_header = NULL; } static struct ctl_table_header *sctp_sysctl_header; --2.43.0
Please also move sctp_sysctl_net_register() to sctp_ctrlsock_init(), and call it AFTER sctp_ctl_sock_init(). This is not just for being symmetric, but also fixes two problems: 1. A regression caused by this patch: If sctp_v4_protosw_init() or sctp_v6_protosw_init() fails in sctp_init(), there's no place to call sctp_sysctl_net_unregister() on the err path. 2. A pre-existing issue reported by sashiko-gemini:
quoted hunk ↗ jump to hunk
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 15e7db9a3ab2e..fca840484ebf7 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c@@ -615,11 +615,16 @@ int sctp_sysctl_net_register(struct net *net)void sctp_sysctl_net_unregister(struct net *net) { + struct ctl_table_header *header = net->sctp.sysctl_header; const struct ctl_table *table;
This is a pre-existing issue, but I noticed a potential race condition
during SCTP module initialization related to the sysctls modified here.
During sctp_init(), sctp_defaults_ops registers the sysctls globally before
sctp_ctrlsock_ops allocates net->sctp.ctl_sock:
sctp_init() {
...
status = register_pernet_subsys(&sctp_defaults_ops);
if (status)
goto err_register_defaults;
...
status = register_pernet_subsys(&sctp_ctrlsock_ops);
...
}
If userspace accesses the sysctls in this window, proc_sctp_do_auth() could
dereference a NULL pointer since it assumes ctl_sock is ready:
proc_sctp_do_auth() {
...
struct sock *sk = net->sctp.ctl_sock;
net->sctp.auth_enable = new_value;
/* Update the value in the control socket */
lock_sock(sk);
...
}
Can we hit a kernel panic here if the sysctl is modified during automatic
module loading?
[...]
Thanks.