Bug 1971651 (CVE-2021-3609) - CVE-2021-3609 kernel: race condition in net/can/bcm.c leads to local privilege escalation
Summary: CVE-2021-3609 kernel: race condition in net/can/bcm.c leads to local privileg...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3609
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1975220 1975221 1975222 1975223 1974405 1974444 1974445 1975055 1975057 1975058 1975059 1975060 1975061 1975062 1975063 1975064 1975065 1975066 1975067 1975616
Blocks: 1971652 1973534
TreeView+ depends on / blocked
 
Reported: 2021-06-14 13:53 UTC by Marian Rehak
Modified: 2022-05-11 20:18 UTC (History)
62 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges.
Clone Of:
Environment:
Last Closed: 2021-08-10 13:28:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3127 0 None None None 2021-08-10 18:05:34 UTC
Red Hat Product Errata RHBA-2021:3136 0 None None None 2021-08-11 15:39:28 UTC
Red Hat Product Errata RHBA-2021:3474 0 None None None 2021-09-09 05:11:15 UTC
Red Hat Product Errata RHBA-2021:3475 0 None None None 2021-09-09 06:51:07 UTC
Red Hat Product Errata RHSA-2021:3044 0 None None None 2021-08-10 11:13:19 UTC
Red Hat Product Errata RHSA-2021:3057 0 None None None 2021-08-10 13:14:43 UTC
Red Hat Product Errata RHSA-2021:3088 0 None None None 2021-08-10 13:08:10 UTC
Red Hat Product Errata RHSA-2021:3235 0 None None None 2021-08-19 15:48:40 UTC
Red Hat Product Errata RHSA-2021:3363 0 None None None 2021-08-31 09:21:00 UTC
Red Hat Product Errata RHSA-2021:3375 0 None None None 2021-08-31 08:53:41 UTC
Red Hat Product Errata RHSA-2021:3380 0 None None None 2021-08-31 09:04:19 UTC
Red Hat Product Errata RHSA-2021:3442 0 None None None 2021-09-07 14:56:36 UTC
Red Hat Product Errata RHSA-2021:3444 0 None None None 2021-09-07 15:20:58 UTC

Description Marian Rehak 2021-06-14 13:53:01 UTC
A race condition occurs between bcm_release() and bcm_rx_handler(). When a message is received in bcm_rx_handler(), the socket can be closed in
bcm_release() which will free the struct bcm_sock and struct bcm_op. This leads to various use-after-free's in bcm_rx_handler() and depending on the provided flags, also in bcm_rx_timeout_handler(). The use-after-free's in combination with a heap spray may lead to sensitive socket data being overwritten, resulting in local privilege escalation.

Comment 1 Petr Matousek 2021-06-21 15:25:18 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974405]

Comment 2 Petr Matousek 2021-06-21 15:52:08 UTC
Proposed upstream fix:

https://lore.kernel.org/netdev/20210619161813.2098382-1-cascardo@canonical.com/

Comment 5 Marian Rehak 2021-06-22 07:20:38 UTC
Reference:

https://www.openwall.com/lists/oss-security/2021/06/19/1

Comment 12 errata-xmlrpc 2021-08-10 11:13:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3044 https://access.redhat.com/errata/RHSA-2021:3044

Comment 13 errata-xmlrpc 2021-08-10 13:08:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3088 https://access.redhat.com/errata/RHSA-2021:3088

Comment 14 errata-xmlrpc 2021-08-10 13:14:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3057 https://access.redhat.com/errata/RHSA-2021:3057

Comment 15 Product Security DevOps Team 2021-08-10 13:28:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3609

Comment 16 errata-xmlrpc 2021-08-19 15:48:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235

Comment 17 errata-xmlrpc 2021-08-31 08:53:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3375 https://access.redhat.com/errata/RHSA-2021:3375

Comment 18 errata-xmlrpc 2021-08-31 09:04:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3380 https://access.redhat.com/errata/RHSA-2021:3380

Comment 19 errata-xmlrpc 2021-08-31 09:20:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3363 https://access.redhat.com/errata/RHSA-2021:3363

Comment 20 errata-xmlrpc 2021-09-07 14:56:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3442 https://access.redhat.com/errata/RHSA-2021:3442

Comment 21 errata-xmlrpc 2021-09-07 15:20:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3444 https://access.redhat.com/errata/RHSA-2021:3444


Note You need to log in before you can comment on or make changes to this bug.