** Summary changed: - Race between two functions + Race between isotp_bind and isotp_setsockopt
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1927409 Title: Race between isotp_bind and isotp_setsockopt Status in linux package in Ubuntu: Fix Released Bug description: A race condition in the CAN ISOTP networking protocol was discovered which allows forbidden changing of socket members after binding the socket. In particular, the lack of locking behavior in isotp_setsockopt() makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having previously registered a can receiver. After closing the isotp socket, the can receiver will still be registered and use-after-free's can be triggered in isotp_rcv() on the freed isotp_sock structure. This leads to arbitrary kernel execution by overwriting the sk_error_report()pointer, which can be misused in order to execute a user-controlled ROP chain to gain root privileges. The vulnerability was introduced with the introduction of SF_BROADCAST support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt() from modifying socket members before isotp_bind(). Credits: Norbert Slusarek To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1927409/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
