CVE-2022-48830

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: isotp: fix potential CAN frame reception race in isotp_rcv()<br /> <br /> When receiving a CAN frame the current code logic does not consider<br /> concurrently receiving processes which do not show up in real world<br /> usage.<br /> <br /> Ziyang Xuan writes:<br /> <br /> The following syz problem is one of the scenarios. so-&gt;rx.len is<br /> changed by isotp_rcv_ff() during isotp_rcv_cf(), so-&gt;rx.len equals<br /> 0 before alloc_skb() and equals 4096 after alloc_skb(). That will<br /> trigger skb_over_panic() in skb_put().<br /> <br /> =======================================================<br /> CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0<br /> RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113<br /> Call Trace:<br /> <br /> skb_over_panic net/core/skbuff.c:118 [inline]<br /> skb_put.cold+0x24/0x24 net/core/skbuff.c:1990<br /> isotp_rcv_cf net/can/isotp.c:570 [inline]<br /> isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668<br /> deliver net/can/af_can.c:574 [inline]<br /> can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635<br /> can_receive+0x31d/0x580 net/can/af_can.c:665<br /> can_rcv+0x120/0x1c0 net/can/af_can.c:696<br /> __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465<br /> __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579<br /> <br /> Therefore we make sure the state changes and data structures stay<br /> consistent at CAN frame reception time by adding a spin_lock in<br /> isotp_rcv(). This fixes the issue reported by syzkaller but does not<br /> affect real world operation.