Comments on: 5-Year-Old Linux Kernel Local Privilege Escalation Flaw Discovered

By: Tomi Engdahl

Tomi Engdahl — Fri, 09 Dec 2016 08:44:37 +0000

CVE-2016-8655 Linux af_packet.c race condition (local root)
http://www.openwall.com/lists/oss-security/2016/12/06/1

This is an announcement about CVE-2016-8655 which is a race-condition
I found in Linux (net/packet/af_packet.c). It can be exploited to gain
kernel code execution from unprivileged processes.

The bug was introduced on Aug 19, 2011:
https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a

Fixed on Nov 30, 2016:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c

By: Tomi Engdahl

Tomi Engdahl — Fri, 09 Dec 2016 08:43:12 +0000

packet: fix race condition in packet_set_ring
https://github.com/torvalds/linux/commit/84ac7260236a49c79eede91617700174c2c19b0c

By: Tomi Engdahl

Tomi Engdahl — Fri, 09 Dec 2016 08:42:49 +0000

CVE-2016-8655
https://access.redhat.com/security/cve/cve-2016-8655

A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.

This issue does not affect Red Hat Enterprise Linux 5 and 6.

CVE-2016-8655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655

Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.