CVE-2022-48830

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48830
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48830.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48830
Related
Published
2024-07-16T12:15:06Z
Modified
2024-09-18T03:22:37.948480Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: fix potential CAN frame reception race in isotp_rcv()

When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage.

Ziyang Xuan writes:

The following syz problem is one of the scenarios. so->rx.len is changed by isotprcvff() during isotprcvcf(), so->rx.len equals 0 before allocskb() and equals 4096 after allocskb(). That will trigger skboverpanic() in skb_put().

======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skbpanic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skboverpanic net/core/skbuff.c:118 [inline] skbput.cold+0x24/0x24 net/core/skbuff.c:1990 isotprcvcf net/can/isotp.c:570 [inline] isotprcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/afcan.c:574 [inline] canrcvfilter+0x445/0x8d0 net/can/afcan.c:635 canreceive+0x31d/0x580 net/can/afcan.c:665 canrcv+0x120/0x1c0 net/can/afcan.c:696 _netifreceiveskbonecore+0x114/0x180 net/core/dev.c:5465 _netifreceive_skb+0x24/0x1b0 net/core/dev.c:5579

Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spinlock in isotprcv(). This fixes the issue reported by syzkaller but does not affect real world operation.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.103-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}