A race condition in the CAN ISOTP networking protocol was discovered which

allows forbidden changing of socket members after binding the socket.

In particular, the lack of locking behavior in isotp_setsockopt() makes it

feasible to assign the flag CAN_ISOTP_SF_BROADCAST to the socket, despite having

previously registered a can receiver. After closing the isotp socket, the can

receiver will still be registered and use-after-free's can be triggered in

isotp_rcv() on the freed isotp_sock structure.

This leads to arbitrary kernel execution by overwriting the sk_error_report()

pointer, which can be misused in order to execute a user-controlled ROP chain to

gain root privileges.

The vulnerability was introduced with the introduction of SF_BROADCAST support

in commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional

addressing") in 5.11-rc1.

In fact, commit 323a391a220c ("can: isotp: isotp_setsockopt():

block setsockopt on bound sockets") did not effectively prevent isotp_setsockopt()

from modifying socket members before isotp_bind().

The requested CVE ID will be revealed along with further exploitation details

as a response to this notice on 13th May of 2021.