oss-sec mailing list archives
Linux kernel: net: mctp: A Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Sun, 23 Oct 2022 13:51:31 +0800
Hi, there is a Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c in the last Linux kernel upstream. An unprivileged the user reproduced it with new namespaces.It would cause Local Privilege Escalation(LPE). It was introduced in v5.18.0, commit is 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa. It affected all the way up to upstream v6.0.0 and stable. Unfortunately, the mctp kernel module is not automatically loaded. I have reported to secuirty () kernel org a month ago and Now the patch was opened to the public. ##Root Cause The bug was introduced in commit 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa. It add SIOCMCTP{ALLOC,DROP}TAG ioctls for tag control.This change adds a couple of new ioctls for mctp sockets: SIOCMCTPALLOCTAG and SIOCMCTPDROPTAG. where a simultaneous DROPTAG ioctl and socket close may race, as we attempt to remove a key from lists twice, and perform an unref for each removal operation. This may result in a uaf when we attempt the second unref. ##Fix 1.https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a732b46736cd8a29092e4b0b1a9ba83e672bf89 ## CVE Now no CVE number is assigned for this issue. ##Timeline 2022-9-26: reported to security () kernel org. 2022-9-26: bug confirmed. 2022-10-06: patch it. 2022-10-12: patch released. 2022-10-12: reported to secalert () redhat com. 2022-10-23: Announced on oss-security lists. ## Credit this bus is reported by Active Defense Lab of Venustech. Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech
Current thread:
- Linux kernel: net: mctp: A Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c butt3rflyh4ck (Oct 22)
- Re: Linux kernel: net: mctp: A Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c butt3rflyh4ck (Nov 13)