A race condition occurs between bcm_release() and bcm_rx_handler(). When a message is received in bcm_rx_handler(), the socket can be closed in bcm_release() which will free the struct bcm_sock and struct bcm_op. This leads to various use-after-free's in bcm_rx_handler() and depending on the provided flags, also in bcm_rx_timeout_handler(). The use-after-free's in combination with a heap spray may lead to sensitive socket data being overwritten, resulting in local privilege escalation.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1974405]
Proposed upstream fix: https://lore.kernel.org/netdev/20210619161813.2098382-1-cascardo@canonical.com/
Reference: https://www.openwall.com/lists/oss-security/2021/06/19/1
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3044 https://access.redhat.com/errata/RHSA-2021:3044
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3088 https://access.redhat.com/errata/RHSA-2021:3088
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3057 https://access.redhat.com/errata/RHSA-2021:3057
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3609
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3375 https://access.redhat.com/errata/RHSA-2021:3375
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3380 https://access.redhat.com/errata/RHSA-2021:3380
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3363 https://access.redhat.com/errata/RHSA-2021:3363
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3442 https://access.redhat.com/errata/RHSA-2021:3442
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3444 https://access.redhat.com/errata/RHSA-2021:3444