CVE-2022-48830
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48830
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48830.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48830
- Downstream
- Related
- Published
- 2024-07-16T11:44:13Z
- Modified
- 2025-10-08T06:51:44.757710Z
- Summary
- can: isotp: fix potential CAN frame reception race in isotp_rcv()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: fix potential CAN frame reception race in isotp_rcv()
When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage.
Ziyang Xuan writes:
The following syz problem is one of the scenarios. so->rx.len is changed by isotprcvff() during isotprcvcf(), so->rx.len equals 0 before allocskb() and equals 4096 after allocskb(). That will trigger skboverpanic() in skb_put().
======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skbpanic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skboverpanic net/core/skbuff.c:118 [inline] skbput.cold+0x24/0x24 net/core/skbuff.c:1990 isotprcvcf net/can/isotp.c:570 [inline] isotprcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/afcan.c:574 [inline] canrcvfilter+0x445/0x8d0 net/can/afcan.c:635 canreceive+0x31d/0x580 net/can/afcan.c:665 canrcv+0x120/0x1c0 net/can/afcan.c:696 _netifreceiveskbonecore+0x114/0x180 net/core/dev.c:5465 _netifreceive_skb+0x24/0x1b0 net/core/dev.c:5579
Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spinlock in isotprcv(). This fixes the issue reported by syzkaller but does not affect real world operation.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30
- https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca
- https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314
- https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede057dd3fc20ffb3d7f150af46542a51b59b90127Fixed7b53d2204ce79b27a878074a77d64f40ec21dbca
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede057dd3fc20ffb3d7f150af46542a51b59b90127Fixedf90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede057dd3fc20ffb3d7f150af46542a51b59b90127Fixed5b068f33bc8acfcfd5ea7992a2dafb30d89bad30
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede057dd3fc20ffb3d7f150af46542a51b59b90127Fixed7c759040c1dd03954f650f147ae7175476d51314
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.9
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"digest": {
"length": 1100.0,
"function_hash": "294895818130174989360678105078570897775"
},
"id": "CVE-2022-48830-0a42b6ca",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_rcv"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b53d2204ce79b27a878074a77d64f40ec21dbca"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121814727917269825992131836999985050963",
"298267915154587452876886544777427068938",
"282573389757620155815616580531410822510",
"269720996699874041568060301118804221307",
"249485973173475354699874583791255338974",
"163003489577756010779999028251281952452",
"218298565025257988988789408720540365376",
"169778653232398226371230222016112937610",
"319617917630390611906981834359995872729",
"35605940954645578034094000539336851577",
"143172898726842876009787125349408616457",
"199456423979748562218296294895497466579",
"121703461158421987751558183568836888460",
"119252131887575870254911058204892656126",
"154209073899366858489076971940195901144",
"288445759025385252526285905757035961241",
"339822914855695523957998899001429830011",
"340035948791806997037086204323442388482",
"102538741992484052745193791205931064368",
"93058470078601136049217408318380656754",
"248302819031810314742980675807672767100",
"331486682590955069761620275803417523282"
]
},
"id": "CVE-2022-48830-11e6c148",
"deprecated": false,
"target": {
"file": "net/can/isotp.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b53d2204ce79b27a878074a77d64f40ec21dbca"
},
{
"signature_version": "v1",
"digest": {
"length": 1304.0,
"function_hash": "87326571918448109347011092351753801296"
},
"id": "CVE-2022-48830-232558f5",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_init"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c759040c1dd03954f650f147ae7175476d51314"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121814727917269825992131836999985050963",
"298267915154587452876886544777427068938",
"282573389757620155815616580531410822510",
"269720996699874041568060301118804221307",
"249485973173475354699874583791255338974",
"163003489577756010779999028251281952452",
"218298565025257988988789408720540365376",
"169778653232398226371230222016112937610",
"319617917630390611906981834359995872729",
"35605940954645578034094000539336851577",
"143172898726842876009787125349408616457",
"199456423979748562218296294895497466579",
"121703461158421987751558183568836888460",
"119252131887575870254911058204892656126",
"154209073899366858489076971940195901144",
"288445759025385252526285905757035961241",
"339822914855695523957998899001429830011",
"340035948791806997037086204323442388482",
"102538741992484052745193791205931064368",
"93058470078601136049217408318380656754",
"248302819031810314742980675807672767100",
"331486682590955069761620275803417523282"
]
},
"id": "CVE-2022-48830-2e532779",
"deprecated": false,
"target": {
"file": "net/can/isotp.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b068f33bc8acfcfd5ea7992a2dafb30d89bad30"
},
{
"signature_version": "v1",
"digest": {
"length": 1304.0,
"function_hash": "87326571918448109347011092351753801296"
},
"id": "CVE-2022-48830-323ef57b",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_init"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b068f33bc8acfcfd5ea7992a2dafb30d89bad30"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121814727917269825992131836999985050963",
"298267915154587452876886544777427068938",
"282573389757620155815616580531410822510",
"269720996699874041568060301118804221307",
"249485973173475354699874583791255338974",
"163003489577756010779999028251281952452",
"218298565025257988988789408720540365376",
"169778653232398226371230222016112937610",
"319617917630390611906981834359995872729",
"35605940954645578034094000539336851577",
"143172898726842876009787125349408616457",
"199456423979748562218296294895497466579",
"121703461158421987751558183568836888460",
"119252131887575870254911058204892656126",
"154209073899366858489076971940195901144",
"288445759025385252526285905757035961241",
"339822914855695523957998899001429830011",
"340035948791806997037086204323442388482",
"102538741992484052745193791205931064368",
"93058470078601136049217408318380656754",
"248302819031810314742980675807672767100",
"331486682590955069761620275803417523282"
]
},
"id": "CVE-2022-48830-370b5af9",
"deprecated": false,
"target": {
"file": "net/can/isotp.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c759040c1dd03954f650f147ae7175476d51314"
},
{
"signature_version": "v1",
"digest": {
"length": 1100.0,
"function_hash": "294895818130174989360678105078570897775"
},
"id": "CVE-2022-48830-7aad8c69",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_rcv"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c759040c1dd03954f650f147ae7175476d51314"
},
{
"signature_version": "v1",
"digest": {
"length": 1100.0,
"function_hash": "294895818130174989360678105078570897775"
},
"id": "CVE-2022-48830-83e94112",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_rcv"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b068f33bc8acfcfd5ea7992a2dafb30d89bad30"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121814727917269825992131836999985050963",
"298267915154587452876886544777427068938",
"282573389757620155815616580531410822510",
"269720996699874041568060301118804221307",
"249485973173475354699874583791255338974",
"163003489577756010779999028251281952452",
"218298565025257988988789408720540365376",
"169778653232398226371230222016112937610",
"319617917630390611906981834359995872729",
"35605940954645578034094000539336851577",
"143172898726842876009787125349408616457",
"199456423979748562218296294895497466579",
"121703461158421987751558183568836888460",
"119252131887575870254911058204892656126",
"154209073899366858489076971940195901144",
"288445759025385252526285905757035961241",
"339822914855695523957998899001429830011",
"340035948791806997037086204323442388482",
"102538741992484052745193791205931064368",
"93058470078601136049217408318380656754",
"248302819031810314742980675807672767100",
"331486682590955069761620275803417523282"
]
},
"id": "CVE-2022-48830-9683e6f4",
"deprecated": false,
"target": {
"file": "net/can/isotp.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3"
},
{
"signature_version": "v1",
"digest": {
"length": 1304.0,
"function_hash": "87326571918448109347011092351753801296"
},
"id": "CVE-2022-48830-e3d36c0e",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_init"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3"
},
{
"signature_version": "v1",
"digest": {
"length": 1100.0,
"function_hash": "294895818130174989360678105078570897775"
},
"id": "CVE-2022-48830-f92d9a2f",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_rcv"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3"
},
{
"signature_version": "v1",
"digest": {
"length": 1304.0,
"function_hash": "87326571918448109347011092351753801296"
},
"id": "CVE-2022-48830-fd68d26e",
"deprecated": false,
"target": {
"file": "net/can/isotp.c",
"function": "isotp_init"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b53d2204ce79b27a878074a77d64f40ec21dbca"
}
]
}