CVE-2024-57938 - Integer Overflow Bug in Linux Kernel SCTP Autoclose – Explained

In June 2024, a new vulnerability (CVE-2024-57938) was disclosed in the Linux Kernel’s SCTP (Stream Control Transmission Protocol) subsystem. This flaw is subtle but critical: it allows integer overflow due to improper handling of the autoclose timeout in SCTP associations. In this post, we’ll break down how it happens, show you the vulnerable code, explore the potential impact, and give pointers to the patch and reference materials.

What is SCTP and What’s the Issue?

SCTP is a network protocol that’s widely used for transporting multiple streams of data reliably between endpoints. Just like TCP and UDP, SCTP is part of the Linux networking stack.

Inside the Linux kernel, when new SCTP connections (associations) are initialized, the code sets up an "autoclose" timer — basically, how idle a connection can be before the kernel closes it automatically.

The kernel default for this timeout is very large (set by default to INT_MAX / HZ). But users or programs with the right privileges can change it using the sysctl setting /proc/sys/net/sctp/max_autoclose. The problem comes if someone sets this value to an extremely large number, specifically UINT_MAX.

The function in question is sctp_association_init() in net/sctp/associola.c.

Here's a simplified and commented snippet demonstrating the bug

// Example taken from Linux kernel sctp_association_init()
void sctp_association_init(struct sctp_association *asoc, struct sctp_endpoint *ep)
{
    // ... other initializations ...
    asoc->autoclose = sysctl_sctp_autoclose * HZ;
    // ... rest of function ...
}

HZ is a system constant (typically 100 or 250; it defines the timer granularity).

- If sysctl_sctp_autoclose is set to UINT_MAX (the max unsigned 32-bit integer), then multiplying by HZ causes an integer overflow.

Here's a crafted scenario

# As root, set max_autoclose to UINT_MAX
echo 4294967295 > /proc/sys/net/sctp/max_autoclose

On the next SCTP connection, the overflow happens in the multiplication

asoc->autoclose = 4294967295 * 100; // (if HZ=100)

This value cannot fit in a 32-bit (or even a 64-bit, if type is not wide enough) integer field, so it wraps around — leading to a much *lower* value than expected, often zero or some small value.

Why is that Dangerous?

- Unexpected Autoclose: Instead of keeping connections open "forever," they could now autoclose almost *immediately*.
- DoS Potential: An attacker (with privilege to change sysctl) could force the kernel to mishandle SCTP connections, closing them inappropriately or leaving them dangling.
- Kernel Instability: Integer overflows are a classic precursor to all kinds of kernel bugs, including panics and memory corruption.

The Patch: How Was It Fixed?

The Linux maintainers fixed the bug by validating the value before multiplying and capping it correctly.

Relevant Patch

net/sctp: Prevent autoclose integer overflow in sctp_association_init()

Key Fix (simplified)

// Before:
asoc->autoclose = sysctl_sctp_autoclose * HZ;

// After (patched):
if (sysctl_sctp_autoclose > INT_MAX / HZ)
    asoc->autoclose = INT_MAX;
else
    asoc->autoclose = sysctl_sctp_autoclose * HZ;

Now the code ensures there is no overflow no matter what value the sysctl is set to.

How Can the Vulnerability Be Exploited?

This is not a remote code execution bug in itself, but a local user with CAP_NET_ADMIN rights (or root) could:
- Set /proc/sys/net/sctp/max_autoclose to an extremely high value (like UINT_MAX).

Cause a denial of service for SCTP-based applications.

While abuse requires privileges, some containers or orchestrated setups might inadvertently allow these sysctl values to be manipulated.

Is My System Affected?

Check your kernel version:
If your kernel is older than the patch date (June 6, 2024), and you allow non-default SCTP settings, you’re at risk.

Upstream Patch:

commit 6be80c35c59e

CVE Entry:

CVE-2024-57938 at cve.org

Linux SCTP Documentation:

https://docs.kernel.org/networking/sctp.html

Summary

CVE-2024-57938 is a quiet but impactful kernel bug. Acting as a classic example of how integer math bugs are dangerous — especially in sensitive kernel paths — it demonstrates why boundary checks are always necessary, even on seemingly innocent sysctl settings. The fix is simple; the consequences of ignoring it could be hours of debugging dropped connections or, at worst, service downtime.

If you run Linux servers that use SCTP (telecom core networks, clustered databases, etc.), patch your systems soon!


*This post is exclusive to this platform and written in plain, straightforward language to help IT admins, developers, and security practitioners keep their Linux systems safe and stable.*

Timeline

Published on: 01/21/2025 12:15:27 UTC
Last modified on: 01/22/2025 23:01:40 UTC