CVE-2022-48830

EUVD-2022-53709

16.07.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix potential CAN frame reception race in isotp_rcv()

When receiving a CAN frame the current code logic does not consider
concurrently receiving processes which do not show up in real world
usage.

Ziyang Xuan writes:

The following syz problem is one of the scenarios. so->rx.len is
changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals
0 before alloc_skb() and equals 4096 after alloc_skb(). That will
trigger skb_over_panic() in skb_put().

=======================================================
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0
RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113
Call Trace:
 <TASK>
 skb_over_panic net/core/skbuff.c:118 [inline]
 skb_put.cold+0x24/0x24 net/core/skbuff.c:1990
 isotp_rcv_cf net/can/isotp.c:570 [inline]
 isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579

Therefore we make sure the state changes and data structures stay
consistent at CAN frame reception time by adding a spin_lock in
isotp_rcv(). This fixes the issue reported by syzkaller but does not
affect real world operation.

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.10 ≤ 𝑥 < 5.10.101
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.24
linux	linux_kernel	5.16 ≤ 𝑥 < 5.16.10
linux	linux_kernel	5.17:rc1
linux	linux_kernel	5.17:rc2
linux	linux_kernel	5.17:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne

linux-aws-5.15

focal	not-affected
jammy	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne

linux-aws-6.5

focal	dne
jammy	not-affected
noble	dne

linux-aws-fips

focal	dne
jammy	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne

linux-azure-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-6.5

focal	dne
jammy	not-affected
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	not-affected
noble	dne

linux-azure-fde-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-fips

focal	dne
jammy	dne
noble	dne

linux-bluefield

focal	not-affected
jammy	dne
noble	dne

linux-fips

focal	dne
jammy	dne
noble	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne

linux-gcp-6.5

focal	dne
jammy	not-affected
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
noble	dne

linux-gke

focal	ignored
jammy	not-affected
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gkeop

focal	not-affected
jammy	not-affected
noble	dne

linux-gkeop-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	ignored

linux-ibm

focal	not-affected
jammy	not-affected
noble	not-affected

linux-ibm-5.15

focal	not-affected
jammy	dne
noble	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-intel

focal	dne
jammy	dne
noble	not-affected

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

focal	dne
jammy	not-affected
noble	dne

linux-intel-iotg-5.15

focal	Fixed 5.15.0-1008.11~20.04.1 released
jammy	dne
noble	dne

linux-iot

focal	not-affected
jammy	dne
noble	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
xenial	not-affected

linux-lowlatency

focal	dne
jammy	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	not-affected
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne

linux-oem-6.5

focal	dne
jammy	not-affected
noble	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	not-affected

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.15

focal	not-affected
jammy	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	not-affected
noble	dne

linux-raspi

focal	not-affected
jammy	not-affected
noble	not-affected

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

focal	ignored
jammy	ignored
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne

linux-riscv-5.15

focal	not-affected
jammy	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.5

focal	dne
jammy	not-affected
noble	dne

linux-xilinx-zynqmp

focal	not-affected
jammy	not-affected
noble	dne

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30

https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca

https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314

https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3

https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30

https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca

https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314

https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3