Bleeding Edge Kernel Bug Bites Again

DECbot writes:

For those of us that must run the bleeding edge on their boxes, it may be time to eat some humble pie and roll back to an early kernel to avoid a privilege escalation bug in the 5.11 and 5.12 kernels allowing arbitrary code to run as root.
First reported at openwall.com, the bug exploits a race condition in the CAN ISOTP networking protocol. From Norbert Slusarek reporting of the bug:

A race condition in the CAN ISOTP networking protocol was discovered which
allows forbidden changing of socket members after binding the socket.

In particular, the lack of locking behavior in isotp_setsockopt() makes it
feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having
previously registered a can receiver. After closing the isotp socket, the can
receiver will still be registered and use-after-free's can be triggered in
isotp_rcv() on the freed isotp_sock structure.
This leads to arbitrary kernel execution by overwriting the sk_error_report()
pointer, which can be misused in order to execute a user-controlled ROP chain to
gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST support
in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional
addressing") in 5.11-rc1.
In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():
block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()
from modifying socket members before isotp_bind().

The requested CVE ID will be revealed along with further exploitation details
as a response to this notice on 13th May of 2021.

Original Submission

Read more of this story at SoylentNews.