Re: Linux kernel: Exploitable vulnerabilities in AF_VSOCK implementation

[Alexander Popov <alex.popov () linux com>]

On February 5, 2021 12:43:31 AM GMT+03:00, Alexander Popov <alex.popov () linux com> wrote:
> Hello!
>
> Let me inform you about the Linux kernel vulnerabilities that I've
> found in
> AF_VSOCK implementation. I managed to exploit one of them for a local
> privilege
> escalation on Fedora Server 33 for x86_64, bypassing SMEP and SMAP. I'm
> going to
> share all the details about the exploit techniques later.
>
> CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS are shipped as kernel
> modules in all
> major GNU/Linux distributions. The vulnerable modules are automatically
> loaded
> when you create a socket for AF_VSOCK. That is available for
> unprivileged users
> and user namespaces are not needed for that.
>
> These vulnerabilities are race conditions caused by wrong locking in
> net/vmw_vsock/af_vsock.c. The race conditions were implicitly
> introduced in
> November 2019 in the commits c0cfa2d8a788fcf4 and 6a2c0962105ae8ce that
> added
> VSOCK multi-transport support. These commits were merged in the Linux
> kernel
> v5.5-rc1.
>
> I prepared the fixing patch and made responsible disclosure to
> security () kernel org. Now the patch is merged into the mainline kernel:
>  "vsock: fix the race conditions in multi-transport support"
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c518adafa39f37858697ac9309c6cf1805581446
> This patch is also backported into the affected stable trees.
>
> I've requested a CVE ID for these vulnerabilities at
> https://cveform.mitre.org/.

CVE-2021-26708 is assigned to these issues:
https://nvd.nist.gov/vuln/detail/CVE-2021-26708

Best regards,
Alexander