** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1927409
Title:
Race between two functions
Status in linux package in Ubuntu:
Fix Released
Bug description:
A race condition in the CAN ISOTP networking protocol was discovered
which allows forbidden changing of socket members after binding
the socket.
In particular, the lack of locking behavior in isotp_setsockopt()
makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the
socket, despite having previously registered a can receiver. After
closing the isotp socket, the can receiver will still be registered
and use-after-free's can be triggered in isotp_rcv() on the freed
isotp_sock structure. This leads to arbitrary kernel execution by
overwriting the sk_error_report()pointer, which can be misused in
order to execute a user-controlled ROP chain to gain root privileges.
The vulnerability was introduced with the introduction of SF_BROADCAST
support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support
for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c
("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets")
did not effectively prevent isotp_setsockopt() from modifying socket
members before isotp_bind().
Credits: Norbert Slusarek
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1927409/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
