In the Linux kernel, the following vulnerability has been resolved: can:
j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
Lock jsk->sk to prevent UAF when setsockopt(…, SO_J1939_FILTER, …)
modifies jsk->filters while receiving packets. Following trace was seen on
affected system:
================================================================== BUG:
KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0
[can_j1939] Read of size 4 at addr ffff888012144014 by task j1939/350 CPU:
0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1 Hardware name: QEMU
Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call
Trace: print_report+0xd3/0x620 ? kasan_complete_mode_report_info+0x7d/0x200
? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] kasan_report+0xc2/0x100 ?
j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] __asan_load4+0x84/0xb0
j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939] j1939_sk_recv+0x20b/0x320
[can_j1939] ? __kasan_check_write+0x18/0x20 ? __pfx_j1939_sk_recv+0x10/0x10
[can_j1939] ? j1939_simple_recv+0x69/0x280 [can_j1939] ?
j1939_ac_recv+0x5e/0x310 [can_j1939] j1939_can_recv+0x43f/0x580 [can_j1939]
? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] ? raw_rcv+0x42/0x3c0 [can_raw]
? __pfx_j1939_can_recv+0x10/0x10 [can_j1939] can_rcv_filter+0x11f/0x350
[can] can_receive+0x12f/0x190 [can] ? __pfx_can_rcv+0x10/0x10 [can]
can_rcv+0xdd/0x130 [can] ? __pfx_can_rcv+0x10/0x10 [can]
__netif_receive_skb_one_core+0x13d/0x150 ?
__pfx___netif_receive_skb_one_core+0x10/0x10 ?
__kasan_check_write+0x18/0x20 ? _raw_spin_lock_irq+0x8c/0xe0
__netif_receive_skb+0x23/0xb0 process_backlog+0x107/0x260
__napi_poll+0x69/0x310 net_rx_action+0x2a1/0x580 ?
__pfx_net_rx_action+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ?
handle_irq_event+0x7d/0xa0 __do_softirq+0xf3/0x3f8 do_softirq+0x53/0x80
</IRQ> <TASK> __local_bh_enable_ip+0x6e/0x70 netif_rx+0x16b/0x180
can_send+0x32b/0x520 [can] ? __pfx_can_send+0x10/0x10 [can] ?
__check_object_size+0x299/0x410 raw_sendmsg+0x572/0x6d0 [can_raw] ?
__pfx_raw_sendmsg+0x10/0x10 [can_raw] ? apparmor_socket_sendmsg+0x2f/0x40 ?
__pfx_raw_sendmsg+0x10/0x10 [can_raw] sock_sendmsg+0xef/0x100
sock_write_iter+0x162/0x220 ? __pfx_sock_write_iter+0x10/0x10 ?
__rtnl_unlock+0x47/0x80 ? security_file_permission+0x54/0x320
vfs_write+0x6ba/0x750 ? __pfx_vfs_write+0x10/0x10 ?
__fget_light+0x1ca/0x1f0 ? __rcu_read_unlock+0x5b/0x280
ksys_write+0x143/0x170 ? __pfx_ksys_write+0x10/0x10 ?
__kasan_check_read+0x15/0x20 ? fpregs_assert_state_consistent+0x62/0x70
__x64_sys_write+0x47/0x60 do_syscall_64+0x60/0x90 ? do_syscall_64+0x6d/0x90
? irqentry_exit+0x3f/0x50 ? exc_page_fault+0x79/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 348:
kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40
kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0xb5/0xc0
__kmalloc_node_track_caller+0x67/0x160 j1939_sk_setsockopt+0x284/0x450
[can_j1939] __sys_setsockopt+0x15c/0x2f0 __x64_sys_setsockopt+0x6b/0x80
do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by
task 349: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40
kasan_save_free_info+0x2f/0x50 __kasan_slab_free+0x12e/0x1c0
__kmem_cache_free+0x1b9/0x380 kfree+0x7a/0x120
j1939_sk_setsockopt+0x3b2/0x450 [can_j1939] __sys_setsockopt+0x15c/0x2f0
__x64_sys_setsockopt+0x6b/0x80 do_syscall_64+0x60/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < 5.4.0-181.201 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-106.116 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1124.134 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1061.67 | UNKNOWN |
git.kernel.org/linus/efe7cf828039aedb297c1f9920b638fffee6aabc (6.8-rc5)
git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532
git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8
git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed
git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba
git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc
git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50
git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d
launchpad.net/bugs/cve/CVE-2023-52637
nvd.nist.gov/vuln/detail/CVE-2023-52637
security-tracker.debian.org/tracker/CVE-2023-52637
ubuntu.com/security/notices/USN-6766-1
ubuntu.com/security/notices/USN-6766-2
ubuntu.com/security/notices/USN-6766-3
ubuntu.com/security/notices/USN-6767-1
ubuntu.com/security/notices/USN-6767-2
ubuntu.com/security/notices/USN-6795-1
ubuntu.com/security/notices/USN-6828-1
www.cve.org/CVERecord?id=CVE-2023-52637