An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write an arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS).
A suggested patch:
An upstream patch:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1663730]
Exploitability and Impact Note:
From: Michal Kubecek <mkubecek () suse ! cz>
> > Second can-gw rules can only be configured by *root* and not by any regular
> > user - and finally it is definitely not namespace related.
> Sorry for the noise, I misread the code (and commit 90f62cf30a78) so
> that I thought netlink_ns_capable() is used in net/can/gw.c; now I see
> that it's netlink_capable() so that global CAP_NET_ADMIN is required
> rather than namespace one and the bug cannot be exploited by a regular
With this noted we consider this issue to be a bug and not a security flaw.