CVE-2023-52637

In the Linux kernel, the following vulnerability has been resolved:

can: j1939: Fix UAF in j1939skmatchfilter during setsockopt(SOJ1939_FILTER)

Lock jsk->sk to prevent UAF when setsockopt(..., SOJ1939FILTER, ...) modifies jsk->filters while receiving packets.

Following trace was seen on affected system: ================================================================== BUG: KASAN: slab-use-after-free in j1939skrecvmatchone+0x1af/0x2d0 [can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350

CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: printreport+0xd3/0x620 ? kasancompletemodereportinfo+0x7d/0x200 ? j1939skrecvmatchone+0x1af/0x2d0 [canj1939] kasanreport+0xc2/0x100 ? j1939skrecvmatchone+0x1af/0x2d0 [canj1939] __asanload4+0x84/0xb0 j1939sk_recvmatchone+0x1af/0x2d0 [canj1939] j1939skrecv+0x20b/0x320 [canj1939] ? __kasancheckwrite+0x18/0x20 ? __pfxj1939skrecv+0x10/0x10 [canj1939] ? j1939simplerecv+0x69/0x280 [canj1939] ? j1939acrecv+0x5e/0x310 [canj1939] j1939canrecv+0x43f/0x580 [can_j1939] ? __pfxj1939canrecv+0x10/0x10 [canj1939] ? rawrcv+0x42/0x3c0 [canraw] ? __pfxj1939can_recv+0x10/0x10 [canj1939] canrcvfilter+0x11f/0x350 [can] canreceive+0x12f/0x190 [can] ? __pfxcanrcv+0x10/0x10 [can] can_rcv+0xdd/0x130 [can] ? __pfxcanrcv+0x10/0x10 [can] __netifreceiveskbonecore+0x13d/0x150 ? pfxnetifreceiveskbone_core+0x10/0x10 ? __kasancheckwrite+0x18/0x20 ? rawspinlockirq+0x8c/0xe0 __netifreceiveskb+0x23/0xb0 process_backlog+0x107/0x260 __napipoll+0x69/0x310 netrx_action+0x2a1/0x580 ? __pfxnetrx_action+0x10/0x10 ? pfxrawspinlock+0x10/0x10 ? handleirqevent+0x7d/0xa0 __dosoftirq+0xf3/0x3f8 dosoftirq+0x53/0x80 </IRQ> <TASK> __localbhenableip+0x6e/0x70 netifrx+0x16b/0x180 can_send+0x32b/0x520 [can] ? __pfxcansend+0x10/0x10 [can] ? __checkobjectsize+0x299/0x410 rawsendmsg+0x572/0x6d0 [canraw] ? __pfxrawsendmsg+0x10/0x10 [canraw] ? apparmorsocket_sendmsg+0x2f/0x40 ? __pfxrawsendmsg+0x10/0x10 [canraw] socksendmsg+0xef/0x100 sockwriteiter+0x162/0x220 ? __pfxsockwrite_iter+0x10/0x10 ? __rtnlunlock+0x47/0x80 ? securityfilepermission+0x54/0x320 vfswrite+0x6ba/0x750 ? __pfxvfswrite+0x10/0x10 ? __fget_light+0x1ca/0x1f0 ? __rcureadunlock+0x5b/0x280 ksys_write+0x143/0x170 ? __pfxksyswrite+0x10/0x10 ? __kasancheckread+0x15/0x20 ? fpregsassertstate_consistent+0x62/0x70 _x64syswrite+0x47/0x60 dosyscall64+0x60/0x90 ? dosyscall64+0x6d/0x90 ? irqentryexit+0x3f/0x50 ? excpagefault+0x79/0xf0 entrySYSCALL64afterhwframe+0x6e/0xd8

Allocated by task 348: kasansavestack+0x2a/0x50 kasansettrack+0x29/0x40 kasansavealloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0 __kmallocnodetrackcaller+0x67/0x160 j1939sksetsockopt+0x284/0x450 [canj1939] __sys_setsockopt+0x15c/0x2f0 __x64syssetsockopt+0x6b/0x80 dosyscall64+0x60/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8

Freed by task 349: kasansavestack+0x2a/0x50 kasansettrack+0x29/0x40 kasansavefree_info+0x2f/0x50 __kasanslabfree+0x12e/0x1c0 __kmemcachefree+0x1b9/0x380 kfree+0x7a/0x120 j1939sksetsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64syssetsockopt+0x6b/0x80 dosyscall64+0x60/0x90 entrySYSCALL64afterhwframe+0x6e/0xd8