CVE-2018-18559

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.

En el kernel de Linux hasta la versión 4.19, puede ocurrir un uso de memoria previamente liberada debido a una condición de carrera entre fanout_add desde setsockopt y bind en un socket AF_PACKET. Este problema existe debido a una solución incompleta 15fe076edea787807a7cdc168df832544b58eba6 para una condición de carrera. El código gestiona de manera incorrecta cierto caso multihilado relacionado con una acción packet_do_bind no registrada seguido por una acción packet_notifier registrada. Más tarde, packet_release opera en uno solo de las dos listas enlazadas aplicables. El atacante puede lograr el control de Program Counter.