Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2021-32606: kernel-source-azure,kernel-source,kernel-source-rt: kernel: isotp_setsockopt in net/can/isotp.c allows privilege escalation via use-after-free|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Marcus Meissner <meissner>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P2 - High||CC:||bpetkov, meissner, rfrohl, smash_bz, tiwai|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Marcus Meissner 2021-05-12 08:28:12 UTC
A race condition in the CAN ISOTP networking protocol was discovered which allows forbidden changing of socket members after binding the socket. In particular, the lack of locking behavior in isotp_setsockopt() makes it feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having previously registered a can receiver. After closing the isotp socket, the can receiver will still be registered and use-after-free's can be triggered in isotp_rcv() on the freed isotp_sock structure. This leads to arbitrary kernel execution by overwriting the sk_error_report() pointer, which can be misused in order to execute a user-controlled ROP chain to gain root privileges. The vulnerability was introduced with the introduction of SF_BROADCAST support in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") in 5.11-rc1. In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt(): block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt() from modifying socket members before isotp_bind(). The requested CVE ID will be revealed along with further exploitation details as a response to this notice on 13th May of 2021. Credits: Norbert Slusarek *** exploit log *** Adjusted to work with openSUSE Tumbleweed. noprivs@suse:~/expl> uname -a Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux noprivs@suse:~/expl> ./lpe [+] entering setsockopt [+] entering bind [+] left bind with ret = 0 [+] left setsockopt with flags = 838 [+] race condition hit, closing and spraying socket [+] sending msg to run softirq with isotp_rcv() [+] check sudo su for root rights noprivs@suse:~/expl> sudo su suse:/home/noprivs/expl # id uid=0(root) gid=0(root) groups=0(root) suse:/home/noprivs/expl # cat /root/check high school student living in germany looking for an internship in info sec. if interested please reach out to firstname.lastname@example.org. Regards, Norbert Slusarek
Comment 1 Marcus Meissner 2021-05-12 08:28:46 UTC
likely only opensuse tumbleweed
Comment 3 Marcus Meissner 2021-05-18 13:36:43 UTC
its a dup, prehaps use this bug for tracking?
Comment 4 Borislav Petkov 2021-05-18 14:09:37 UTC
Your call - I'm fine with whichever one you guys use. Just close the other one :)
Comment 5 Takashi Iwai 2021-05-18 14:45:23 UTC
Already fixed in the upstream netdev? https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=2b17c400aeb44daf041627722581ade527bb3c1d It takes the lock_sock() around isotp_setsockopt().
Comment 6 Borislav Petkov 2021-05-18 15:31:14 UTC
Looks like it, see 1185564.
Comment 7 Takashi Iwai 2021-05-18 15:38:30 UTC
OK, now I pushed the backported fix to stable branch for TW. Older releases are unaffected. Reassigned back to security team.
Comment 8 Marcus Meissner 2021-05-20 10:03:29 UTC
*** Bug 1185564 has been marked as a duplicate of this bug. ***
Comment 9 Marcus Meissner 2021-05-20 10:03:47 UTC