Subject: [ASA-202107-48] linux: privilege escalation Arch Linux Security Advisory ASA-202107-48 ========================================== Severity: High Date : 2021-07-21 CVE-ID : CVE-2021-3609 CVE-2021-3612 CVE-2021-3655 CVE-2021-33909 Package : linux Type : privilege escalation Remote : Yes Link : https://security.archlinux.org/AVG-2181 Summary ======= The package linux before version 5.13.4.arch1-1 is vulnerable to privilege escalation including privilege escalation and information disclosure. Resolution ========== Upgrade to 5.13.4.arch1-1. # pacman -Syu "linux>=5.13.4.arch1-1" The problems have been fixed upstream in version 5.13.4.arch1. Workaround ========== None. Description =========== - CVE-2021-3609 (privilege escalation) A race condition in net/can/bcm.c in the Linux kernel before version 5.13.2 allows for local privilege escalation to root. The CAN BCM networking protocol allows to register a CAN message receiver for a specified socket. The function bcm_rx_handler() is run for incoming CAN messages. Simultaneously to running this function, the socket can be closed and bcm_release() will be called. Inside bcm_release(), struct bcm_op and struct bcm_sock are freed while bcm_rx_handler() is still running, finally leading to multiple use-after-free's. - CVE-2021-3612 (privilege escalation) An out-of-bounds memory write security issue was found in the Linux kernel’s joystick devices subsystem before version 5.13.2, in the way the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to crash the system or possibly escalate their privileges on the system. - CVE-2021-3655 (information disclosure) A vulnerability was found in the Linux kernel. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory. - CVE-2021-33909 (privilege escalation) An privilege escalation security issue has been found in the filesystem layer of the Linux kernel before version 5.13.4. An unprivileged local attacker can obtain full root privileges by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, which leads to an uncontrolled out-of-bounds write. Impact ====== An unprivileged local attacker could obtain full root privileges or crash the system. References ========== https://www.openwall.com/lists/oss-security/2021/06/19/1 https://www.openwall.com/lists/oss-security/2021/06/19/2 https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=014f8baa9d240c4cf7180d37abd625fd4a4527c8 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=d8a5cf5cfc07a296c78bd515671e374b8d8db022 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b52e0cf0bfc1ede495de36aec86f6013efa18f60 https://bugzilla.redhat.com/show_bug.cgi?id=1974079 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=81acf1015233b3ee1d9834ba4fcca087a75c0c1b https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=b88243d8f1c7eb2a834fd7cd1ea9691554240d3a https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b4c35e9e8061b2386da1aa0d708e991204e76c45 https://bugzilla.redhat.com/show_bug.cgi?id=1984024 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=0c5dc070ff3d6246d22ddd931f23a6266249e3db https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=50619dbf8db77e98d821d615af4f634d08e22698 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=b6ffe7671b24689c09faa5675dd58f93758a97ae https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.3&id=4ecabee69d190f2bd9bdc5140109a27231428413 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.3&id=92b74375a1bbf5f7f64f4ea98064a5ba62956bcc https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.18&id=d91adac26d5ebac78c731b3aa23ff2c210ce2a0d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.18&id=603f0eedf3b17df9e424c01bae25b94ae1091279 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.51&id=d4dbef7046e24669278eba4455e9e8053ead6ba0 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.51&id=6ef81a5c0e22233e13c748e813c54d3bf0145782 https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-exploit.tar.gz https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.4&id=71de462034c69525a5049fbdf3903c5833cbce04 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.19&id=514b6531b1cbb64199db63bfdb80953d71998cca https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.52&id=174c34d9cda1b5818419b8f5a332ced10755e52f https://security.archlinux.org/CVE-2021-3609 https://security.archlinux.org/CVE-2021-3612 https://security.archlinux.org/CVE-2021-3655 https://security.archlinux.org/CVE-2021-33909