This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1927409 Title: Race between isotp_bind and isotp_setsockopt Status in linux package in Ubuntu: Fix Released Bug description: A race condition in the CAN ISOTP networking protocol was discovered which allows forbidden changing of socket members after binding the socket. In particular, the lack of locking behavior in isotp_setsockopt() makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having previously registered a can receiver. After closing the isotp socket, the can receiver will still be registered and use-after-free's can be triggered in isotp_rcv() on the freed isotp_sock structure. This leads to arbitrary kernel execution by overwriting the sk_error_report()pointer, which can be misused in order to execute a user-controlled ROP chain to gain root privileges. The vulnerability was introduced with the introduction of SF_BROADCAST support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt() from modifying socket members before isotp_bind(). Credits: Norbert Slusarek To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1927409/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
