An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem).
Tag: Race Condition
ASA-2019-00503 – Wind River VxWorks: TCP Urgent Pointer state confusion due to race condition
A series of segments with and without the URG-flag set must arrive with a very specific timing while an application on the victim is receiving from the session. The victim must be using a SMP-kernel and two or more CPU-cores alternatively an uni-processor kernel where the receiving task and the network task executes at different priorities. A prerequisite is that the system uses TCP-sockets, and there is at least one TCP session enabled that an attacker can inject traffic into. This vulnerability relies on a race condition between the network task (tNet0) and the receiving application. It is essentially impossible to trigger the race on a system with just a single CPU thread enabled and no way to reliably trigger it on SMP targets. The impact of the vulnerability is a buffer overflow of up to a full TCP receive-windows (by default 10k-64k depending on the version). The buffer overflow happens in the task calling recv()/recvfrom()/recvmsg(). Applications that pass a buffer equal to or larger than a full TCP window are not susceptible to this attack. Applications passing a stack-allocated variable as buffer are the easiest to exploit. The most likely outcome is a crash of the application reading from the affected socket. In the worst-case scenario, this vulnerability can potentially lead to RCE.
ASA-2019-00420 – Linux kernel: Use-after-free via race condition between modify_ldt() and #BR exception
There is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.
ASA-2019-00369 – ISC BIND: A race condition when discarding malformed packets can cause BIND to exit with an assertion failure
A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. An attacker who can cause a resolver to perform queries which will be answered by a server which responds with deliberately malformed answers can cause named to exit, denying service to clients.
ASA-2019-00344 – Intel Open Cloud Integrity Technology (Open CIT): A race condition in the agent service
A race condition in the agent service for Open CIT may allow an authenticated user to potentially enable escalation of privilege via local access.
ASA-2019-00280 – Intel: A race condition in Intel(R) Graphics Drivers
A race condition in Intel(R) Graphics Drivers before version 10.18.14.5067 (aka 15.36.x.5067) and 10.18.10.5069 (aka 15.33.x.5069) may allow an authenticated user to potentially enable a denial of service via local access.
ASA-2019-00273 – Singularity: Namespace privilege escalation and arbitrary file corruption
A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing//. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.
ASA-2019-00083 – Linux: Binder use-after-free of VMA via race between reclaim and munmap
There is a race condition between the direct reclaim path (enters binder through the binder_shrinker) and the munmap() syscall (enters binder through the ->close handler of binder_vm_ops).