Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()
From: Stephen Smalley
Date: Mon Jun 22 2026 - 10:16:18 EST
On Thu, Jun 18, 2026 at 7:21 PM Tristan Madani <tristmd@xxxxxxxxx> wrote:
>
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> selinux_sctp_bind_connect() reads sk->sk_socket and passes it to
> selinux_socket_bind() or selinux_socket_connect_helper() without
> checking for NULL. When an SCTP ASCONF chunk is processed in softirq
> context on a socket that has been concurrently closed, sock_orphan()
> will have already set sk->sk_socket to NULL. The subsequent
> dereference of sock->sk at offset 0x18 triggers a kernel panic.
>
> Add a NULL check on sk->sk_socket before use.
Is this sufficient, or can the sk_socket be freed under us after the assignment?
Do different callers of this hook provide different guarantees
regarding sk_socket or are they all the same?
>
> Fixes: d452930fd3b9 ("selinux: Add SCTP support")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> security/selinux/hooks.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0f704380a8c8..e45588563caa 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5717,6 +5717,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
>
> /* Process one or more addresses that may be IPv4 or IPv6 */
> sock = sk->sk_socket;
> + if (!sock)
> + return -ECONNRESET;
> +
> addr_buf = address;
>
> while (walk_size < addrlen) {
> --
> 2.47.3
>