An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write an arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames because of a missing check. A local user with CAP_NET_ADMIN capability granted in the initial namespace can exploit this vulnerability to cause a system crash and thus a denial of service (DoS). References: https://marc.info/?t=154651855000001&r=1&w=2 A suggested patch: https://marc.info/?l=linux-can&m=154659326224990&w=2 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0aaa81377c5a01f686bcdb8c7a6929a7bf330c68
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1663730]
Exploitability and Impact Note: https://marc.info/?l=linux-can&m=154654764312859&w=2 From: Michal Kubecek <mkubecek () suse ! cz> > > Second can-gw rules can only be configured by *root* and not by any regular > > user - and finally it is definitely not namespace related. > > Sorry for the noise, I misread the code (and commit 90f62cf30a78) so > that I thought netlink_ns_capable() is used in net/can/gw.c; now I see > that it's netlink_capable() so that global CAP_NET_ADMIN is required > rather than namespace one and the bug cannot be exploited by a regular > user. With this noted we consider this issue to be a bug and not a security flaw.