UAF on CAN BCM bcm_rx_handler
Bug #1931855 reported by
Thadeu Lima de Souza Cascardo
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
bcm_rx_handler may run concurrently to can_rx_unregister on bcm_release, which will, then, free the bcm_op that is used by bcm_rx_handler, leading to a system crash.
[Potential regression]
CAN BCM sockets may stop working as expected.
[Test case]
Programs from can-utils were run, some of them concurrently.
summary: |
- placeholder bug + UAF on CAN BCM bcm_rx_handler |
description: | updated |
information type: | Private → Public Security |
tags: |
added: kernel-cve-tracking-bug removed: verification-needed-focal verification-needed-hirsute |
To post a comment you must log in.
This bug was fixed in the package linux - 5.11.0-22.23
---------------
linux (5.11.0-22.23) hirsute; urgency=medium
* UAF on CAN J1939 j1939_can_recv (LP: #1932209)
- SAUCE: can: j1939: delay release of j1939_priv after synchronize_rcu
* UAF on CAN BCM bcm_rx_handler (LP: #1931855)
- SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu
linux (5.11.0-20.21) hirsute; urgency=medium
* hirsute/linux: 5.11.0-20.21 -proposed tracker (LP: #1930854)
* ath11k WIFI not working in proposed kernel 5.11.0-19-generic (LP: #1930637)
- bus: mhi: core: Download AMSS image from appropriate function
linux (5.11.0-19.20) hirsute; urgency=medium
* hirsute/linux: 5.11.0-19.20 -proposed tracker (LP: #1930075)
* Packaging resync (LP: #1786013)
- update dkms package versions
* CVE-2021-33200
- bpf: Wrap aux data inside bpf_sanitize_info container
- bpf: Fix mask direction swap upon off reg sign change
- bpf: No need to simulate speculative domain for immediates
* AX201 BT will cause system could not enter S0i3 (LP: #1928047)
- SAUCE: drm/i915: Tweaked Wa_14010685332 for all PCHs
* CVE-2021-3490
- SAUCE: Revert "UBUNTU: SAUCE: bpf: verifier: fix ALU32 bounds tracking with
bitwise ops"
- gpf: Fix alu32 const subreg bound tracking on bitwise operations
* CVE-2021-3489
- SAUCE: Revert "UBUNTU: SAUCE: bpf: prevent writable memory-mapping of read-
only ringbuf pages"
- bpf: Prevent writable memory-mapping of read-only ringbuf pages
* Select correct boot VGA when BIOS doesn't do it properly (LP: #1929217)
- vgaarb: Use ACPI HID name to find integrated GPU
* Realtek USB hubs in Dell WD19SC/DC/TB fail to work after exiting s2idle
(LP: #1928242)
- USB: Verify the port status when timeout happens during port suspend
* CVE-2020-26145
- ath10k: drop fragments with multicast DA for SDIO
- ath10k: add CCMP PN replay protection for fragmented frames for PCIe
- ath10k: drop fragments with multicast DA for PCIe
* CVE-2020-26141
- ath10k: Fix TKIP Michael MIC verification for PCIe
* CVE-2020-24587
- ath11k: Clear the fragment cache during key install
* CVE-2020-24588
- mac80211: properly handle A-MSDUs that start with an RFC 1042 header
- cfg80211: mitigate A-MSDU aggregation attacks
- mac80211: drop A-MSDUs on old ciphers
- ath10k: drop MPDU which has discard flag set by firmware for SDIO
* CVE-2020-26139
- mac80211: do not accept/forward invalid EAPOL frames
* CVE-2020-24586 // CVE-2020-24587 // CVE-2020-24587 for such cases.
- mac80211: extend protection against mixed key and fragment cache attacks
* CVE-2020-24586 // CVE-2020-24587
- mac80211: prevent mixed key and fragment cache attacks
- mac80211: add fragment cache to sta_info
- mac80211: check defrag PN against current frame
- mac80211: prevent attacks on TKIP/WEP as well
* CVE-2020-26147
- mac80211: assure all fragments are encrypted
* raid10: Block discard is very slow, causing severe delays for mkfs and discard_ bio() for submitting discard bio
fstrim operations (LP: #1896578)
- md: add md_submit_
- ...