From owner-freebsd-security@FreeBSD.ORG  Sat Jan 14 04:11:06 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6C71C1065670
	for <freebsd-security@freebsd.org>;
	Sat, 14 Jan 2012 04:11:06 +0000 (UTC)
	(envelope-from clemun@gmail.com)
Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 37E508FC16
	for <freebsd-security@freebsd.org>;
	Sat, 14 Jan 2012 04:11:05 +0000 (UTC)
Received: by obbta17 with SMTP id ta17so4523576obb.13
	for <freebsd-security@freebsd.org>;
	Fri, 13 Jan 2012 20:11:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:content-transfer-encoding;
	bh=g+0KfV9BHbuRwie1yaeC578i+eMVxtvY1j8oZljWXlc=;
	b=cU5kWDUJ57h3vpLJecrod8TZVOQk4Eot9s9vwsMyTL/JQitzQowwUGECug6xwaLsZY
	+OZQmGB7gvEt62AeljuOW09gYt25Rs4lcfc64GQLjoSl71qNbuLqwpnKAYlqpbHnB9AS
	U/LQzwYuuE7c+5gFmmbqFc7a7RPod0WZ2vRqI=
MIME-Version: 1.0
Received: by 10.182.147.4 with SMTP id tg4mr3025948obb.65.1326514265589; Fri,
	13 Jan 2012 20:11:05 -0800 (PST)
Received: by 10.182.186.98 with HTTP; Fri, 13 Jan 2012 20:11:05 -0800 (PST)
In-Reply-To: <CAKSJdACFPgQLJ+h1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com>
References: <CAKSJdACFPgQLJ+h1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com>
Date: Sat, 14 Jan 2012 05:11:05 +0100
Message-ID: <CAKSJdABCYLDQ5awgTC7n8evK1JEPesV=ekjFtwCCthFnaNqQ=A@mail.gmail.com>
From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= <clemun@gmail.com>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: Double SCTP_INP_RUNLOCK() in SCTP result in KP
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 04:11:06 -0000

Oups mistake, the LOCK() should be on line 3041, same problem just
above on line 3021, UNLOCK() instead of LOCK().

-clem1

Le 14 janvier 2012 05:03, Cl=E9ment Lecigne <clemun@gmail.com> a =E9crit :
> Hi,
>
> In sctp_ussreq.c, lines are based from HEAD:
>
> 3041 =A0 =A0SCTP_INP_RUNLOCK(inp);
> 3042 =A0 =A0onoff =3D sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO)=
;
> 3043 =A0 =A0SCTP_INP_RUNLOCK(inp);
>
> The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo?
> That results in an easily user triggerable kernel panic through
> getsockopt(). I don't think user can do something evil with this
> double unlock which result in a kernel panic due to a NULL dereference
> in mtx_unlock() on my fresh FreeBSD 9.0.
>
> Bests,
> -clem1



--=20
-clem1