Bug 1663729 (CVE-2019-3701) - CVE-2019-3701 kernel: Missing check in net/can/gw.c:can_can_gw_rcv() allows for crash by users with CAP_NET_ADMIN
Summary: CVE-2019-3701 kernel: Missing check in net/can/gw.c:can_can_gw_rcv() allows f...
Status: CLOSED NOTABUG
Alias: CVE-2019-3701
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=none,public=20181228,reported=...
Keywords: Security
Depends On: 1663730
Blocks: 1663768
TreeView+ depends on / blocked
 
Reported: 2019-01-07 03:02 UTC by Sam Fowler
Modified: 2019-04-12 02:16 UTC (History)
1 user (show)

(edit)
An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS).
Clone Of:
(edit)
Last Closed: 2019-03-14 17:06:04 UTC


Attachments (Terms of Use)

Description Sam Fowler 2019-01-07 03:02:30 UTC
An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write an arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS).

References:

https://marc.info/?t=154651855000001&r=1&w=2

A suggested patch:

https://marc.info/?l=linux-can&m=154659326224990&w=2

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0aaa81377c5a01f686bcdb8c7a6929a7bf330c68

Comment 1 Sam Fowler 2019-01-07 03:02:45 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1663730]

Comment 2 Vladis Dronov 2019-03-14 16:45:11 UTC
Exploitability and Impact Note:

https://marc.info/?l=linux-can&m=154654764312859&w=2

From:       Michal Kubecek <mkubecek () suse ! cz>

> > Second can-gw rules can only be configured by *root* and not by any regular
> > user - and finally it is definitely not namespace related.
> 
> Sorry for the noise, I misread the code (and commit 90f62cf30a78) so
> that I thought netlink_ns_capable() is used in net/can/gw.c; now I see
> that it's netlink_capable() so that global CAP_NET_ADMIN is required
> rather than namespace one and the bug cannot be exploited by a regular
> user.

With this noted we consider this issue to be a bug and not a security flaw.


Note You need to log in before you can comment on or make changes to this bug.