in packet_do_bind, test fanout with bind_lock held and hold bind lock when rebinding to fanout hook in kernel-packet CVE-2017-15649

Tracked by Jolla

asked 2017-11-09 07:56:29 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-09 07:56:29 +0300

lpr gravatar image

net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. 7.8high

Patches |1| and |2| are available.

File affected: kernel-adaptation-sbj- lines 1342-1345; 1351-1354; 2488-2497

edit retag flag offensive close delete


now, backport to kernel 3.2 is available: use atomic_read() not refcount_read()

lpr ( 2017-11-13 17:38:02 +0300 )edit