2021-05-11 22:10:49 |
Steve Beattie |
description |
This is in order to track an issue without an identifier. |
A race condition in the CAN ISOTP networking protocol was discovered
which allows forbidden changing of socket members after binding
the socket.
In particular, the lack of locking behavior in isotp_setsockopt()
makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the
socket, despite having previously registered a can receiver. After
closing the isotp socket, the can receiver will still be registered
and use-after-free's can be triggered in isotp_rcv() on the freed
isotp_sock structure. This leads to arbitrary kernel execution by
overwriting the sk_error_report()pointer, which can be misused in
order to execute a user-controlled ROP chain to gain root privileges.
The vulnerability was introduced with the introduction of SF_BROADCAST
support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support
for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c
("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets")
did not effectively prevent isotp_setsockopt() from modifying socket
members before isotp_bind().
Credits: Norbert Slusarek |
|