oss-sec mailing list archives

Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation

From: Oliver Hartkopp <socketcan () hartkopp net>
Date: Fri, 28 May 2021 17:41:03 +0200

Hello Greg,

this patch ("can: isotp: prevent race between isotp_bind() andisotp_setsockopt()") has hit Linus' tree ~36h ago:


https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/can?id=2b17c400aeb44daf041627722581ade527bb3c1d

It has a CVE number and is potentially exploitable - but it was not inthe latest batch of stable kernels about ~4h ago.


It was obviously not tagged properly for stable kernels but has a fixes-tag:

Fixes: 921ca574cd38 ("can: isotp: add SF_BROADCAST support forfunctional addressing")


which was introduced in 5.11

Thanks for taking care!

Best,
Oliver

On 14.05.21 01:52, Norbert Slusarek wrote:

As Salvatore already mentioned, the assigned CVE ID is CVE-2021-32606.
The exploitation details are published in an article available on github
via this link:
https://git.io/JsYYB<https://deref-gmx.net/mail/client/ulc_0Gq1TD4/dereferrer/?redirectUrl=https%3A%2F%2Fgit.io%2FJsYYB>
Regards,
Norbert Slusarek

Current thread:

Linux kernel: net/can/isotp: race condition leads to local privilege escalation Norbert Slusarek (May 11)
- Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Salvatore Bonaccorso (May 11)
- Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Norbert Slusarek (May 13)
  - Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Solar Designer (May 14)
  - Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Oliver Hartkopp (May 28)
    - Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Marc Kleine-Budde (May 28)
    - Re: Linux kernel: net/can/isotp: race condition leads to local privilege escalation Greg Kroah-Hartman (May 29)