Bug 1185953 - (CVE-2021-32606) VUL-0: CVE-2021-32606: kernel-source-azure,kernel-source,kernel-source-rt: kernel: isotp_setsockopt in net/can/isotp.c allows privilege escalation via use-after-free
(CVE-2021-32606)
VUL-0: CVE-2021-32606: kernel-source-azure,kernel-source,kernel-source-rt: ke...
Status: RESOLVED FIXED
: 1185564 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/284122/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-12 08:28 UTC by Marcus Meissner
Modified: 2021-05-20 10:03 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-05-12 08:28:12 UTC
A race condition in the CAN ISOTP networking protocol was discovered which
allows forbidden changing of socket members after binding the socket.

In particular, the lack of locking behavior in isotp_setsockopt() makes it
feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
previously registered a can receiver. After closing the isotp socket, the can
receiver will still be registered and use-after-free's can be triggered in
isotp_rcv() on the freed isotp_sock structure.
This leads to arbitrary kernel execution by overwriting the sk_error_report()
pointer, which can be misused in order to execute a user-controlled ROP chain to
gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST support
in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
addressing") in 5.11-rc1.
In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
from modifying socket members before isotp_bind().

The requested CVE ID will be revealed along with further exploitation details
as a response to this notice on 13th May of 2021.

Credits: Norbert Slusarek

*** exploit log ***

Adjusted to work with openSUSE Tumbleweed.

noprivs@suse:~/expl> uname -a
Linux suse 5.12.0-1-default #1 SMP Mon Apr 26 04:25:46 UTC 2021 (5d43652) x86_64 x86_64 x86_64 GNU/Linux
noprivs@suse:~/expl> ./lpe
[+] entering setsockopt
[+] entering bind
[+] left bind with ret = 0
[+] left setsockopt with flags = 838
[+] race condition hit, closing and spraying socket
[+] sending msg to run softirq with isotp_rcv()
[+] check sudo su for root rights
noprivs@suse:~/expl> sudo su
suse:/home/noprivs/expl # id
uid=0(root) gid=0(root) groups=0(root)
suse:/home/noprivs/expl # cat /root/check
high school student living in germany looking for an internship in info sec.
if interested please reach out to nslusarek@gmx.net.

Regards,
Norbert Slusarek
Comment 1 Marcus Meissner 2021-05-12 08:28:46 UTC
likely only opensuse tumbleweed
Comment 3 Marcus Meissner 2021-05-18 13:36:43 UTC
its a dup, prehaps use this bug for tracking?
Comment 4 Borislav Petkov 2021-05-18 14:09:37 UTC
Your call - I'm fine with whichever one you guys use. Just close the other one :)
Comment 5 Takashi Iwai 2021-05-18 14:45:23 UTC
Already fixed in the upstream netdev?
  https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=2b17c400aeb44daf041627722581ade527bb3c1d

It takes the lock_sock() around isotp_setsockopt().
Comment 6 Borislav Petkov 2021-05-18 15:31:14 UTC
Looks like it, see 1185564.
Comment 7 Takashi Iwai 2021-05-18 15:38:30 UTC
OK, now I pushed the backported fix to stable branch for TW.  Older releases are unaffected.

Reassigned back to security team.
Comment 8 Marcus Meissner 2021-05-20 10:03:29 UTC
*** Bug 1185564 has been marked as a duplicate of this bug. ***
Comment 9 Marcus Meissner 2021-05-20 10:03:47 UTC
done