In the Linux kernel, the following vulnerability has been resolved:
can: j1939: Fix UAF in j1939skmatchfilter during setsockopt(SOJ1939_FILTER)
Lock jsk->sk to prevent UAF when setsockopt(..., SOJ1939FILTER, ...) modifies jsk->filters while receiving packets.
Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939skrecvmatchone+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350
CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: printreport+0xd3/0x620 ? kasancompletemodereportinfo+0x7d/0x200 ? j1939skrecvmatchone+0x1af/0x2d0 [canj1939] kasanreport+0xc2/0x100 ? j1939skrecvmatchone+0x1af/0x2d0 [canj1939] asanload4+0x84/0xb0 j1939skrecvmatchone+0x1af/0x2d0 [canj1939] j1939skrecv+0x20b/0x320 [canj1939] ? _kasancheckwrite+0x18/0x20 ? _pfxj1939skrecv+0x10/0x10 [canj1939] ? j1939simplerecv+0x69/0x280 [canj1939] ? j1939acrecv+0x5e/0x310 [canj1939] j1939canrecv+0x43f/0x580 [canj1939] ? _pfxj1939canrecv+0x10/0x10 [canj1939] ? rawrcv+0x42/0x3c0 [canraw] ? _pfxj1939canrecv+0x10/0x10 [canj1939] canrcvfilter+0x11f/0x350 [can] canreceive+0x12f/0x190 [can] ? _pfxcanrcv+0x10/0x10 [can] canrcv+0xdd/0x130 [can] ? _pfxcanrcv+0x10/0x10 [can] _netifreceiveskbonecore+0x13d/0x150 ? _pfxnetifreceiveskbonecore+0x10/0x10 ? kasancheckwrite+0x18/0x20 ? _rawspinlockirq+0x8c/0xe0 _netifreceiveskb+0x23/0xb0 processbacklog+0x107/0x260 _napipoll+0x69/0x310 netrxaction+0x2a1/0x580 ? _pfxnetrxaction+0x10/0x10 ? _pfxrawspinlock+0x10/0x10 ? handleirqevent+0x7d/0xa0 _dosoftirq+0xf3/0x3f8 dosoftirq+0x53/0x80 </IRQ> <TASK> _localbhenableip+0x6e/0x70 netifrx+0x16b/0x180 cansend+0x32b/0x520 [can] ? _pfxcansend+0x10/0x10 [can] ? _checkobjectsize+0x299/0x410 rawsendmsg+0x572/0x6d0 [canraw] ? _pfxrawsendmsg+0x10/0x10 [canraw] ? apparmorsocketsendmsg+0x2f/0x40 ? _pfxrawsendmsg+0x10/0x10 [canraw] socksendmsg+0xef/0x100 sockwriteiter+0x162/0x220 ? _pfxsockwriteiter+0x10/0x10 ? _rtnlunlock+0x47/0x80 ? securityfilepermission+0x54/0x320 vfswrite+0x6ba/0x750 ? _pfxvfswrite+0x10/0x10 ? _fgetlight+0x1ca/0x1f0 ? _rcureadunlock+0x5b/0x280 ksyswrite+0x143/0x170 ? _pfxksyswrite+0x10/0x10 ? _kasancheckread+0x15/0x20 ? fpregsassertstateconsistent+0x62/0x70 _x64syswrite+0x47/0x60 dosyscall64+0x60/0x90 ? dosyscall64+0x6d/0x90 ? irqentryexit+0x3f/0x50 ? excpagefault+0x79/0xf0 entrySYSCALL64afterhwframe+0x6e/0xd8
Allocated by task 348: kasansavestack+0x2a/0x50 kasansettrack+0x29/0x40 kasansaveallocinfo+0x1f/0x30 _kasankmalloc+0xb5/0xc0 _kmallocnodetrackcaller+0x67/0x160 j1939sksetsockopt+0x284/0x450 [canj1939] _syssetsockopt+0x15c/0x2f0 _x64syssetsockopt+0x6b/0x80 dosyscall64+0x60/0x90 entrySYSCALL64after_hwframe+0x6e/0xd8
Freed by task 349: kasansavestack+0x2a/0x50 kasansettrack+0x29/0x40 kasansavefreeinfo+0x2f/0x50 _kasanslabfree+0x12e/0x1c0 _kmemcachefree+0x1b9/0x380 kfree+0x7a/0x120 j1939sksetsockopt+0x3b2/0x450 [canj1939] _syssetsockopt+0x15c/0x2f0 _x64syssetsockopt+0x6b/0x80 dosyscall64+0x60/0x90 entrySYSCALL64after_hwframe+0x6e/0xd8