Subject: [ASA-202107-49] linux-zen: privilege escalation

Arch Linux Security Advisory ASA-202107-49
==========================================

Severity: High
Date    : 2021-07-21
CVE-ID  : CVE-2021-3609 CVE-2021-3612 CVE-2021-3655 CVE-2021-33909
Package : linux-zen
Type    : privilege escalation
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2182

Summary
=======

The package linux-zen before version 5.13.4.zen1-1 is vulnerable to
privilege escalation including privilege escalation and information
disclosure.

Resolution
==========

Upgrade to 5.13.4.zen1-1.

# pacman -Syu "linux-zen>=5.13.4.zen1-1"

The problems have been fixed upstream in version 5.13.4.zen1.

Workaround
==========

None.

Description
===========

- CVE-2021-3609 (privilege escalation)

A race condition in net/can/bcm.c in the Linux kernel before version
5.13.2 allows for local privilege escalation to root. The CAN BCM
networking protocol allows to register a CAN message receiver for a
specified socket. The function bcm_rx_handler() is run for incoming CAN
messages. Simultaneously to running this function, the socket can be
closed and bcm_release() will be called. Inside bcm_release(), struct
bcm_op and struct bcm_sock are freed while bcm_rx_handler() is still
running, finally leading to multiple use-after-free's.

- CVE-2021-3612 (privilege escalation)

An out-of-bounds memory write security issue was found in the Linux
kernel’s joystick devices subsystem before version 5.13.2, in the way
the user calls ioctl JSIOCSBTNMAP. This flaw allows a local user to
crash the system or possibly escalate their privileges on the system.

- CVE-2021-3655 (information disclosure)

A vulnerability was found in the Linux kernel. Missing size validations
on inbound SCTP packets may allow the kernel to read uninitialized
memory.

- CVE-2021-33909 (privilege escalation)

An privilege escalation security issue has been found in the filesystem
layer of the Linux kernel before version 5.13.4. An unprivileged local
attacker can obtain full root privileges by creating, mounting, and
deleting a deep directory structure whose total path length exceeds
1GB, which leads to an uncontrolled out-of-bounds write.

Impact
======

An unprivileged local attacker could obtain full root privileges or
crash the system.

References
==========

https://www.openwall.com/lists/oss-security/2021/06/19/1
https://www.openwall.com/lists/oss-security/2021/06/19/2
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=014f8baa9d240c4cf7180d37abd625fd4a4527c8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=d8a5cf5cfc07a296c78bd515671e374b8d8db022
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b52e0cf0bfc1ede495de36aec86f6013efa18f60
https://bugzilla.redhat.com/show_bug.cgi?id=1974079
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.2&id=81acf1015233b3ee1d9834ba4fcca087a75c0c1b
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.17&id=b88243d8f1c7eb2a834fd7cd1ea9691554240d3a
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.50&id=b4c35e9e8061b2386da1aa0d708e991204e76c45
https://bugzilla.redhat.com/show_bug.cgi?id=1984024
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=0c5dc070ff3d6246d22ddd931f23a6266249e3db
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=50619dbf8db77e98d821d615af4f634d08e22698
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=b6ffe7671b24689c09faa5675dd58f93758a97ae
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.3&id=4ecabee69d190f2bd9bdc5140109a27231428413
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.3&id=92b74375a1bbf5f7f64f4ea98064a5ba62956bcc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.18&id=d91adac26d5ebac78c731b3aa23ff2c210ce2a0d
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.18&id=603f0eedf3b17df9e424c01bae25b94ae1091279
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.51&id=d4dbef7046e24669278eba4455e9e8053ead6ba0
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.51&id=6ef81a5c0e22233e13c748e813c54d3bf0145782
https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt
https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-crasher.c
https://www.qualys.com/2021/07/20/cve-2021-33909/cve-2021-33909-exploit.tar.gz
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.13.4&id=71de462034c69525a5049fbdf3903c5833cbce04
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.12.19&id=514b6531b1cbb64199db63bfdb80953d71998cca
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.52&id=174c34d9cda1b5818419b8f5a332ced10755e52f
https://security.archlinux.org/CVE-2021-3609
https://security.archlinux.org/CVE-2021-3612
https://security.archlinux.org/CVE-2021-3655
https://security.archlinux.org/CVE-2021-33909