Recently another issue was disclosed in the AF_PACKET subsystem Linux kernel, which allows a local non-privileged user to run code as root or exit isolated containers if they have root access.
The information released mentions that CAP_NET_RAW authority is required to create the AF_PACKET socket and exploit the vulnerability.
However, it is noted that a user without privileges can get the permission specified in containers created on systems with user namespaces enabled.
For example, user namespaces are included by default in Ubuntu and Fedora, but not enabled in Debian and RHEL. Whereas in Android, the mediaerver process has the right to create AF_PACKET sockets, through which the vulnerability can be exploited.
About the vulnerability in AF_PACKET
The vulnerability is present in the tpacket_rcv function and it is caused by an error in the calculation of the netoff variable.
An attacker can create conditions under which will write a value less than maclen in the netoff variable, which will cause an overflow by calculating "macoff = netoff-maclen" and then doing so could incorrectly set the buffer pointer for incoming data.
As a result, an attacker can initiate writing 1 to 10 bytes to an area outside the allocated buffer.
The miscalculation has been present in the kernel since July 2008, that is, in all current kernels, however the now known ability to use it to write to an area outside the allocated buffer (vulnerability) was presumably introduced in February from 2016 (from kernel versions 4.6-rc1 and later), with the development of virtio_net support.
As for the solution of the problem it is still available as a patch. In addition to the fact that, on the other hand, it is observed that an exploit is being developed that allows obtaining root rights in the system.
For those who are interested in knowing if the fix is already available for their distribution, they can track the appearance of package updates in the different distributions on the following pages: Ubuntu, Fedora, SUSE, Debian, RHEL, Arch.
Text scrolling support for the text console was removed
On the other hand speaking of the Linux kernel, it was also announced that the text scrolling code was removed from the implementation of the text console in the Linux kernel (CONFIG_VGACON_SOFT_SCROLLBACK).
The code was removed due to the presence of bugs, which there was no one to correct due to the lack of a manager to oversee the development of vgacon.
And is that a few months ago a vulnerability was identified and fixed in vgacon (CVE-2020-14331) that could cause a buffer overflow due to a lack of proper memory availability checks in the scrolling buffer. The vulnerability caught the attention of developers who organized fuzzing tests of the vgacon code in syzbot.
Besides that further verifications revealed several more issues Similar in vgacon code, as well as displacement software implementation issues in fbcon controller.
Unfortunately, the problem code has been left unattended for a long time, presumably due to the fact that developers switched to the use of graphical consoles and text consoles stopped being used (people continue to use the vgacon and fbcon consoles, but they haven't been the main interface of the kernel for decades and have spread both the functions such as controller built-in scrolling (Shift + PgUp / PgUp) are probably in low demand).
En este sentido, Linus Torvalds decided not to try to keep the code unclaimed, but simply delete it.
Finally, it is mentioned that if there are users who need this functionality, the code to support scrolling in the console will be returned to the kernel as soon as there is a maintainer ready or who wants to take charge to take its maintenance in their own hands, that is the only one who wants to dedicate time to it.