Ubuntu
linux package

Race between isotp_bind and isotp_setsockopt

Bug #1927409 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

A race condition in the CAN ISOTP networking protocol was discovered
which allows forbidden changing of socket members after binding
the socket.

In particular, the lack of locking behavior in isotp_setsockopt()
makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the
socket, despite having previously registered a can receiver. After
closing the isotp socket, the can receiver will still be registered
and use-after-free's can be triggered in isotp_rcv() on the freed
isotp_sock structure. This leads to arbitrary kernel execution by
overwriting the sk_error_report()pointer, which can be misused in
order to execute a user-controlled ROP chain to gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST
support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support
for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c
("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets")
did not effectively prevent isotp_setsockopt() from modifying socket
members before isotp_bind().

Credits: Norbert Slusarek

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.11.0-17.18

---------------
linux (5.11.0-17.18) hirsute; urgency=medium

  * Race between isotp_bind and isotp_setsockopt (LP: #1927409)
    - SAUCE: Revert "can: isotp: add SF_BROADCAST support for functional
      addressing"

  * CVE-2021-3491
    - io_uring: fix overflows checks in provide buffers
    - SAUCE: proc: Avoid mixing integer types in mem_rw()
    - SAUCE: io_uring: truncate lengths larger than MAX_RW_COUNT on provide
      buffers

  * CVE-2021-3490
    - SAUCE: bpf: verifier: fix ALU32 bounds tracking with bitwise ops

  * CVE-2021-3489
    - SAUCE: bpf: ringbuf: deny reserve of buffers larger than ringbuf
    - SAUCE: bpf: prevent writable memory-mapping of read-only ringbuf pages

 -- Stefan Bader <email address hidden> Thu, 06 May 2021 17:31:47 +0200

Changed in linux (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

This issue is now public: https://www.openwall.com/lists/oss-security/2021/05/11/16

description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Please note that this issue was addressed by temporarily reverting SF_BROADCAST support in the CAN ISOTP protocol implementation in Ubuntu's 5.11 kernels. When a correct fix has been identified upstream for this issue, SF_BROADCAST support will be re-enabled.

Steve Beattie (sbeattie)
information type: Private Security → Public Security
Thadeu Lima de Souza Cascardo (cascardo)
summary: - Race between two functions
+ Race between isotp_bind and isotp_setsockopt
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.