Headline
CVE-2021-22600: git/torvalds/linux.git - Linux kernel source tree
A double free bug in packet_set_ring() in net/packet/af_packet.c can be exploited by a local user through crafted syscalls to escalate privileges or deny service. We recommend upgrading kernel past the effected versions or rebuilding past ec6af094ea28f0f2dda1a6a33b14cd57e36a9755
author
Willem de Bruijn [email protected]
2021-12-15 09:39:37 -0500
committer
Jakub Kicinski [email protected]
2021-12-15 17:49:36 -0800
commit
ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 (patch)
tree
907fc24cb8efc985e2475143b9e905bd6c99acd2
parent
481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 (diff)
download
linux-ec6af094ea28f0f2dda1a6a33b14cd57e36a9755.tar.gz
net/packet: rx_owner_map depends on pg_vec
Packet sockets may switch ring versions. Avoid misinterpreting state between versions, whose fields share a union. rx_owner_map is only allocated with a packet ring (pg_vec) and both are swapped together. If pg_vec is NULL, meaning no packet ring was allocated, then neither was rx_owner_map. And the field may be old state from a tpacket_v3. Fixes: 61fad6816fc1 (“net/packet: tpacket_rcv: avoid a producer race condition”) Reported-by: Syzbot [email protected] Signed-off-by: Willem de Bruijn [email protected] Reviewed-by: Eric Dumazet [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski [email protected]
-rw-r–r--
net/packet/af_packet.c
5
1 files changed, 3 insertions, 2 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 46943a18a10d5…76c2dca7f0a59 100644
— a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4492,9 +4492,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
}
out_free_pg_vec:
- bitmap_free(rx_owner_map);
- if (pg_vec)
+ if (pg_vec) {
+ bitmap_free(rx_owner_map);
free_pg_vec(pg_vec, order, req->tp_block_nr);
+ }
out:
return err;
}