in packet_do_bind, test fanout with bind_lock held and hold bind lock when rebinding to fanout hook in kernel-packet CVE-2017-15649

Tracked by Jolla

asked 2017-11-09 07:56:29 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-09 07:56:29 +0200

lpr gravatar image

net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. 7.8high

Patches |1| and |2| are available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/packet/af_packet.c lines 1342-1345; 1351-1354; 2488-2497

edit retag flag offensive close delete

Comments

now, backport to kernel 3.2 is available: use atomic_read() not refcount_read()

lpr ( 2017-11-13 17:38:02 +0200 )edit