CVE-2022-2961
race condition in rose_bind()
References
Notes
carnil> Possible fix is 2df91e397d85 ("net: rose: add netdev ref
carnil> tracker to 'struct rose_sock'") but as of 2022-08-30 no
carnil> clarification in RHBZ#2120595.
bwh> This is not fixed by commit 2df91e397d85. The problem is that
bwh> rose_bind() doesn't prevent two concurrent bind calls on the same
bwh> socket from succeeding. It checks that the SOCK_ZAPPED flag is set
bwh> at the top, and clears it at the bottom, leaving a race condition
bwh> between those bit operations.
bwh> In bullseye and newer releases this is mitigated because we
bwh> disabled auto-loading of the rose module.
Bugs
Status
| Branch |
Status |
| 4.19-buster-security |
needed
|
| 4.19-upstream-stable |
needed
|
| 5.10-bullseye-security |
needed
|
| 5.10-upstream-stable |
needed
|
| 6.1-bookworm-security |
needed
|
| 6.1-upstream-stable |
needed
|
| 6.6-upstream-stable |
unknown
|
| 6.8-upstream-stable |
unknown
|
| sid |
needed
|
| upstream |
needed
|