CVE-2022-48830

16.07.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix potential CAN frame reception race in isotp_rcv()

When receiving a CAN frame the current code logic does not consider
concurrently receiving processes which do not show up in real world
usage.

Ziyang Xuan writes:

The following syz problem is one of the scenarios. so->rx.len is
changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals
0 before alloc_skb() and equals 4096 after alloc_skb(). That will
trigger skb_over_panic() in skb_put().

=======================================================
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0
RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
Call Trace:
 <TASK>
 skb_over_panic net/core/skbuff.c:118 [inline]
 skb_put.cold+0x24/0x24 net/core/skbuff.c:1990
 isotp_rcv_cf net/can/isotp.c:570 [inline]
 isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579

Therefore we make sure the state changes and data structures stay
consistent at CAN frame reception time by adding a spin_lock in
isotp_rcv(). This fixes the issue reported by syzkaller but does not
affect real world operation.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Linux	CNA	---	---
CVE	ADP	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

noble	dne
jammy	dne
focal	not-affected

linux-aws-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-aws-5.8

noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

noble	dne
jammy	not-affected
focal	dne

linux-aws-fips

noble	dne
jammy	dne
focal	dne

linux-aws-hwe

noble	dne
jammy	dne
focal	dne
xenial	not-affected

linux-azure

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.11

noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.8

noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

noble	dne
jammy	not-affected
focal	dne

linux-azure-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

noble	dne
jammy	not-affected
focal	ignored

linux-azure-fde-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-fde-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-fips

noble	dne
jammy	dne
focal	dne

linux-bluefield

noble	dne
jammy	dne
focal	not-affected

linux-fips

noble	dne
jammy	dne
focal	dne

linux-gcp

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected

linux-gcp-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.11

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gcp-5.19

noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.8

noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

noble	dne
jammy	not-affected
focal	dne

linux-gcp-fips

noble	dne
jammy	dne
focal	dne

linux-gke

noble	not-affected
jammy	not-affected
focal	ignored

linux-gke-4.15

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

noble	dne
jammy	not-affected
focal	not-affected

linux-gkeop-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gkeop-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected

linux-hwe-5.11

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-hwe-5.8

noble	dne
jammy	dne
focal	ignored

linux-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

noble	not-affected
jammy	not-affected
focal	not-affected

linux-ibm-5.15

noble	dne
jammy	dne
focal	not-affected

linux-ibm-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-intel

noble	not-affected
jammy	dne
focal	dne

linux-intel-5.13

noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

noble	dne
jammy	not-affected
focal	dne

linux-intel-iotg-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1008.11~20.04.1 released

linux-iot

noble	dne
jammy	dne
focal	not-affected

linux-kvm

noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-lowlatency

noble	not-affected
jammy	not-affected
focal	dne

linux-lowlatency-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-lowlatency-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

noble	dne
jammy	dne
focal	dne
trusty	not-affected

linux-nvidia

noble	not-affected
jammy	not-affected
focal	dne

linux-nvidia-6.2

noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

noble	dne
jammy	not-affected
focal	dne

linux-nvidia-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

noble	dne
jammy	ignored
focal	dne

linux-oem-6.5

noble	dne
jammy	not-affected
focal	dne

linux-oem-6.8

noble	not-affected
jammy	dne
focal	dne

linux-oracle

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-oracle-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

noble	dne
jammy	dne
focal	not-affected

linux-oracle-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-oracle-5.8

noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

noble	dne
jammy	not-affected
focal	dne

linux-raspi

noble	not-affected
jammy	not-affected
focal	not-affected

linux-raspi-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-raspi-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

noble	dne
jammy	dne
focal	ignored

linux-realtime

noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

noble	not-affected
jammy	ignored
focal	ignored

linux-riscv-5.11

noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

noble	dne
jammy	dne
focal	not-affected

linux-riscv-5.19

noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

noble	dne
jammy	not-affected
focal	dne

linux-xilinx-zynqmp

noble	dne
jammy	not-affected
focal	not-affected

References

https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30

https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca

https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314

https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3

https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30

https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca

https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314

https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3