Race between isotp_bind and isotp_setsockopt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
A race condition in the CAN ISOTP networking protocol was discovered
which allows forbidden changing of socket members after binding
the socket.
In particular, the lack of locking behavior in isotp_setsockopt()
makes it feasible to assign the flag CAN_ISOTP_
socket, despite having previously registered a can receiver. After
closing the isotp socket, the can receiver will still be registered
and use-after-free's can be triggered in isotp_rcv() on the freed
isotp_sock structure. This leads to arbitrary kernel execution by
overwriting the sk_error_
order to execute a user-controlled ROP chain to gain root privileges.
The vulnerability was introduced with the introduction of SF_BROADCAST
support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support
for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c
("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets")
did not effectively prevent isotp_setsockopt() from modifying socket
members before isotp_bind().
Credits: Norbert Slusarek
information type: | Private Security → Public Security |
summary: |
- Race between two functions + Race between isotp_bind and isotp_setsockopt |
This bug was fixed in the package linux - 5.11.0-17.18
---------------
linux (5.11.0-17.18) hirsute; urgency=medium
* Race between isotp_bind and isotp_setsockopt (LP: #1927409)
- SAUCE: Revert "can: isotp: add SF_BROADCAST support for functional
addressing"
* CVE-2021-3491
- io_uring: fix overflows checks in provide buffers
- SAUCE: proc: Avoid mixing integer types in mem_rw()
- SAUCE: io_uring: truncate lengths larger than MAX_RW_COUNT on provide
buffers
* CVE-2021-3490
- SAUCE: bpf: verifier: fix ALU32 bounds tracking with bitwise ops
* CVE-2021-3489
- SAUCE: bpf: ringbuf: deny reserve of buffers larger than ringbuf
- SAUCE: bpf: prevent writable memory-mapping of read-only ringbuf pages
-- Stefan Bader <email address hidden> Thu, 06 May 2021 17:31:47 +0200