Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601926 (CVE-2016-8655) - Kernel: Race condition in packet_set_ring leads to use after free (CVE-2016-8655)
Summary: Kernel: Race condition in packet_set_ring leads to use after free (CVE-2016-8...
Alias: CVE-2016-8655
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
Depends on:
Reported: 2016-12-07 18:44 UTC by Thomas Deutschmann (RETIRED)
Modified: 2022-03-25 22:54 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-07 18:44:51 UTC
From $URL:

This is an announcement about CVE-2016-8655 which is a race-condition
Philip Pettersson found in Linux (net/packet/af_packet.c). It can be
exploited to gain kernel code execution from unprivileged processes.

The bug was introduced on Aug 19, 2011:

Fixed on Nov 30, 2016:

=*=*=*=*=*=*=*=*=   BUG DETAILS  =*=*=*=*=*=*=*=*=

To create AF_PACKET sockets you need CAP_NET_RAW in your network
namespace, which can be acquired by unprivileged processes on
systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).
It can be triggered from within containers to compromise the host kernel.
On Android, processes with gid=3004/AID_NET_RAW are able to create
AF_PACKET sockets (mediaserver) and can trigger the bug.

Pettersson found the bug by reading code paths that have been opened up by
the emergence of unprivileged namespaces, something he think should be
off by default in all Linux distributions given its history of security

The problem is inside packet_set_ring() and packet_setsockopt().
We can reach packet_set_ring() by calling setsockopt() on the socket
using the PACKET_RX_RING option.

If the version of the packet socket is TPACKET_V3, a timer_list
object will be initialized by packet_set_ring() when it calls

> ...
>                 switch (po->tp_version) {
>                 case TPACKET_V3:
>                 /* Transmit path is not supported. We checked
>                  * it above but just being paranoid
>                  */
>                         if (!tx_ring)
>                                 init_prb_bdqc(po, rb, pg_vec, req_u);
>                         break;
>                 default:
>                         break;
>                 }
> ...

The function flow to set up the timer is:

When the socket is closed, packet_set_ring() is called again
to free the ring buffer and delete the previously initialized
timer if the packet version is > TPACKET_V2:

> ...
>         if (closing && (po->tp_version > TPACKET_V2)) {
>                 /* Because we don't support block-based V3 on tx-ring */
>                 if (!tx_ring)
>                         prb_shutdown_retire_blk_timer(po, rb_queue);
>         }
> ...

The issue is that we can change the packet version to TPACKET_V1
with packet_setsockopt() after init_prb_bdqc() has been executed
and before packet_set_ring() has returned.

There is an attempt to deny changing socket versions after a ring
buffer has been initialized, but it is insufficient:

> ...
>         case PACKET_VERSION:
>         {
> ...
>                 if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
>                         return -EBUSY;
> ...

There's plenty of room to race this code path between the calls to
init_prb_bdqc() and swap(rb->pg_vec, pg_vec) in packet_set_ring().

When the socket is closed, packet_set_ring() will not delete the
timer since the socket version is now TPACKET_V1. The struct
timer_list that describes the timer object is located inside the
struct packet_sock for the socket itself however and will be
freed with a call to kfree().

We then have a use-after-free on a timer object that can be
exploited by various poisoning attacks on the SLAB allocator (he find
add_key() to be the most reliable). This will ultimately lead to the
kernel jumping to a manipulated function pointer when the timer expires.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt() when
changing the packet version while also taking the lock at the start
of packet_set_ring().

Pettersson's exploit defeats SMEP/SMAP and will give a rootshell on
Ubuntu 16.04, he will hold off a day on publishing it so people have some
time to update.

New Ubuntu kernels are out so please update as soon as possible.

=*=*=*=*=*=*=*=*=    TIMELINE    =*=*=*=*=*=*=*=*=

2016-11-28: Bug reported to security () kernel org
2016-11-30: Patch submitted to netdev, notification sent to linux-distros
2016-12-02: Patch committed to mainline kernel
2016-12-06: Public announcement

=*=*=*=*=*=*=*=*=     LINKS      =*=*=*=*=*=*=*=*=

=*=*=*=*=*=*=*=*=     CREDIT     =*=*=*=*=*=*=*=*=

Philip Pettersson
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-07 18:58:52 UTC
Possible mitigation:

Don't grant CAP_NET_RAW capability to the attacker's account.

Don't set CONFIG_USER_NS in your kernel so that local unprivileged users also cannot abuse namespaces to grant this capability to themselves and elevate their privileges.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 22:54:02 UTC
Fixed in 4.9