Race between isotp_bind and isotp_setsockopt

Bug #1927409 reported by Thadeu Lima de Souza Cascardo
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

A race condition in the CAN ISOTP networking protocol was discovered
which allows forbidden changing of socket members after binding
the socket.

In particular, the lack of locking behavior in isotp_setsockopt()
makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the
socket, despite having previously registered a can receiver. After
closing the isotp socket, the can receiver will still be registered
and use-after-free's can be triggered in isotp_rcv() on the freed
isotp_sock structure. This leads to arbitrary kernel execution by
overwriting the sk_error_report()pointer, which can be misused in
order to execute a user-controlled ROP chain to gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST
support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support
for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c
("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets")
did not effectively prevent isotp_setsockopt() from modifying socket
members before isotp_bind().

Credits: Norbert Slusarek

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.11.0-17.18

---------------
linux (5.11.0-17.18) hirsute; urgency=medium

  * Race between isotp_bind and isotp_setsockopt (LP: #1927409)
    - SAUCE: Revert "can: isotp: add SF_BROADCAST support for functional
      addressing"

  * CVE-2021-3491
    - io_uring: fix overflows checks in provide buffers
    - SAUCE: proc: Avoid mixing integer types in mem_rw()
    - SAUCE: io_uring: truncate lengths larger than MAX_RW_COUNT on provide
      buffers

  * CVE-2021-3490
    - SAUCE: bpf: verifier: fix ALU32 bounds tracking with bitwise ops

  * CVE-2021-3489
    - SAUCE: bpf: ringbuf: deny reserve of buffers larger than ringbuf
    - SAUCE: bpf: prevent writable memory-mapping of read-only ringbuf pages

 -- Stefan Bader <email address hidden> Thu, 06 May 2021 17:31:47 +0200

Changed in linux (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :
description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

Please note that this issue was addressed by temporarily reverting SF_BROADCAST support in the CAN ISOTP protocol implementation in Ubuntu's 5.11 kernels. When a correct fix has been identified upstream for this issue, SF_BROADCAST support will be re-enabled.

Steve Beattie (sbeattie)
information type: Private Security → Public Security
summary: - Race between two functions
+ Race between isotp_bind and isotp_setsockopt
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers