fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() in kernel-net CVE-2016-10200 [released]
asked 2017-05-11 15:27:59 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Description
Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c (and net/l2tp/l2tp_ip6.c. -- not in kernel-adaptation-sbj-3.4.108.20161101.1) CVSS v3:7.0 high/medium (attack range: local)
Upstream Patch available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/l2tp/l2tp_ip.c lines 254-261; 269-273
released in Jämsänjoki / 2.1.1.23
lpr ( 2017-07-24 21:07:47 +0200 )edit