CVE-2020-14386: Linux Kernel Privilege Escalation Vulnerability Alert
Vulnerability Detail
I discovered a bug which leads to a memory corruption in (net/packet/af_packet.c). It can be exploited to gain root privileges from unprivileged processes.
To create AF_PACKET sockets you need CAP_NET_RAW in your network namespace, which can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).
I discovered the vulnerability while auditing the 5.7 kernel sources.
The bug occurs in tpacket_rcv function, when calculating the netoff variable (unsigned short), po->tp_reserve (unsigned int) is added to it which can overflow netoff so it gets a small value.