fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() in kernel-net CVE-2016-10200

Tracked by Jolla (In release)

asked 2017-05-11 15:27:59 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-05-11 15:28:11 +0300

lpr gravatar image

Description
Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c (and net/l2tp/l2tp_ip6.c. -- not in kernel-adaptation-sbj-3.4.108.20161101.1) CVSS v3:7.0 high/medium (attack range: local)

Upstream Patch available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/l2tp/l2tp_ip.c lines 254-261; 269-273

edit retag flag offensive close delete