Bug 1663729 (CVE-2019-3701)

Summary: CVE-2019-3701 kernel: Missing check in net/can/gw.c:can_can_gw_rcv() allows for crash by users with CAP_NET_ADMIN
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: vdronov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-14 17:06:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1663730    
Bug Blocks: 1663768    

Description Sam Fowler 2019-01-07 03:02:30 UTC 
An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write an arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS).

References:

https://marc.info/?t=154651855000001&r=1&w=2

A suggested patch:

https://marc.info/?l=linux-can&m=154659326224990&w=2

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0aaa81377c5a01f686bcdb8c7a6929a7bf330c68
Comment 1 Sam Fowler 2019-01-07 03:02:45 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1663730]
Comment 2 Vladis Dronov 2019-03-14 16:45:11 UTC 
Exploitability and Impact Note:

https://marc.info/?l=linux-can&m=154654764312859&w=2

From:       Michal Kubecek <mkubecek () suse ! cz>

> > Second can-gw rules can only be configured by *root* and not by any regular
> > user - and finally it is definitely not namespace related.
> 
> Sorry for the noise, I misread the code (and commit 90f62cf30a78) so
> that I thought netlink_ns_capable() is used in net/can/gw.c; now I see
> that it's netlink_capable() so that global CAP_NET_ADMIN is required
> rather than namespace one and the bug cannot be exploited by a regular
> user.

With this noted we consider this issue to be a bug and not a security flaw.