in packet_do_bind, test fanout with bind_lock held and hold bind lock when rebinding to fanout hook in kernel-packet CVE-2017-15649
Tracked by Jolla
(Rejected)
asked 2017-11-09 07:56:29 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. 7.8high
Patches |1| and |2| are available.
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/packet/af_packet.c lines 1342-1345; 1351-1354; 2488-2497
now, backport to kernel 3.2 is available: use atomic_read() not refcount_read()
lpr ( 2017-11-13 17:38:02 +0300 )edit