From owner-freebsd-security@FreeBSD.ORG  Sat Jan 14 04:03:02 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9A891065672
	for <freebsd-security@freebsd.org>;
	Sat, 14 Jan 2012 04:03:02 +0000 (UTC)
	(envelope-from clemun@gmail.com)
Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com
	[209.85.214.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 89D5B8FC12
	for <freebsd-security@freebsd.org>;
	Sat, 14 Jan 2012 04:03:02 +0000 (UTC)
Received: by obbta17 with SMTP id ta17so4518767obb.13
	for <freebsd-security@freebsd.org>;
	Fri, 13 Jan 2012 20:03:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=q3hQdSq2HMJCvSoKGhyrY6N//BIp77wIUvoW2zsaKcM=;
	b=TLhAroYukGiHffihdelGySQE+OzHMWWm6XA91Wl9C9c8jrqxNrusBjzpCyxC/2su2l
	4s9BcKxusnhwVvvC0RpGsMaSLm9biEjojou2dGX88dfn31a/EWM0N0rDzGhMitqIoNye
	gwQdwBN7QOQ2a694UGEhmES13G6YZLLsoW4Ws=
MIME-Version: 1.0
Received: by 10.182.147.4 with SMTP id tg4mr3010787obb.65.1326513781745; Fri,
	13 Jan 2012 20:03:01 -0800 (PST)
Received: by 10.182.186.98 with HTTP; Fri, 13 Jan 2012 20:03:01 -0800 (PST)
Date: Sat, 14 Jan 2012 05:03:01 +0100
Message-ID: <CAKSJdACFPgQLJ+h1Ay2Cwozi2EV0=GXmcw58PbdTAPprHVhv2A@mail.gmail.com>
From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= <clemun@gmail.com>
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Double SCTP_INP_RUNLOCK() in SCTP result in KP
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 04:03:02 -0000

Hi,

In sctp_ussreq.c, lines are based from HEAD:

3041 	SCTP_INP_RUNLOCK(inp);
3042 	onoff = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO);
3043 	SCTP_INP_RUNLOCK(inp);

The SCTP_INP_RUNLOCK(in) on line 3043 must be SCTP_INP_LOCK(in), typo?
That results in an easily user triggerable kernel panic through
getsockopt(). I don't think user can do something evil with this
double unlock which result in a kernel panic due to a NULL dereference
in mtx_unlock() on my fresh FreeBSD 9.0.

Bests,
-clem1