CVE-2020-36789

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-36789
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36789.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-36789
Related
Published
2025-04-17T18:15:42Z
Modified
2025-04-29T18:55:11Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

can: dev: cangetechoskb(): prevent call to kfreeskb() in hard IRQ context

If a driver calls cangetechoskb() during a hardware IRQ (which is often, but not always, the case), the 'WARNON(inirq)' in net/core/skbuff.c#skbreleaseheadstate() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference.

The root cause of this issue is the call to kfreeskb() instead of devkfreeskbirq() in net/core/dev.c#enqueuetobacklog().

This patch prevents the skb to be freed within the call to netifrx() by incrementing its reference count with skbget(). The skb is finally freed by one of the in-irq-context safe functions: devconsumeskbany() or devkfreeskbany(). The "any" version is used because some drivers might call cangetecho_skb() in a normal context.

The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption.

This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted.

While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue).

[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.9.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.9.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.9.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}