[PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()

Next message: H. Peter Anvin: "Re: 8aeb879baf12 - significant system call latency regression, bisected"
Previous message: Eric Biggers: "[PATCH] fscrypt: Remove FSCRYPT_MODE_MAX"
Next in thread: Stephen Smalley: "Re: [PATCH] selinux: fix NULL pointer dereference in selinux_sctp_bind_connect()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Thu Jun 18 2026 - 19:23:13 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

selinux_sctp_bind_connect() reads sk->sk_socket and passes it to
selinux_socket_bind() or selinux_socket_connect_helper() without
checking for NULL. When an SCTP ASCONF chunk is processed in softirq
context on a socket that has been concurrently closed, sock_orphan()
will have already set sk->sk_socket to NULL. The subsequent
dereference of sock->sk at offset 0x18 triggers a kernel panic.

Add a NULL check on sk->sk_socket before use.

Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0f704380a8c8..e45588563caa 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5717,6 +5717,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,

/* Process one or more addresses that may be IPv4 or IPv6 */
sock = sk->sk_socket;
+ if (!sock)
+ return -ECONNRESET;
+
addr_buf = address;

while (walk_size < addrlen) {
--
2.47.3