CVE-2021-47457 can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

2024-05-2206:19:46

Linux

github.com

linux kernel

vulnerability resolved

transmission

interruptible

syzbot

warning

cpu

pid

rip

hardware

qemu

bios

timer handler

call trace

hrtimer

softirq

irq

accessers

tx buffer

cve

AI Score

Confidence

Low

EPSS

Percentile

15.5%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

Using wait_event_interruptible() to wait for complete transmission,
but do not check the result of wait_event_interruptible() which can be
interrupted. It will result in TX buffer has multiple accessors and
the later process interferes with the previous process.

Following is one of the problems reported by syzbot.

=============================================================
WARNING: CPU: 0 PID: 0 at net/can/isotp.c:840 isotp_tx_timer_handler+0x2e0/0x4c0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc7+ #68
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:isotp_tx_timer_handler+0x2e0/0x4c0
Call Trace:
<IRQ>
? isotp_setsockopt+0x390/0x390
__hrtimer_run_queues+0xb8/0x610
hrtimer_run_softirq+0x91/0xd0
? rcu_read_lock_sched_held+0x4d/0x80
__do_softirq+0xe8/0x553
irq_exit_rcu+0xf8/0x100
sysvec_apic_timer_interrupt+0x9e/0xc0
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20

Add result check for wait_event_interruptible() in isotp_sendmsg()
to avoid multiple accessers for tx buffer.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "e057dd3fc20f",
        "lessThan": "053bc12df0d6",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "e057dd3fc20f",
        "lessThan": "a76abedd2be3",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "e057dd3fc20f",
        "lessThan": "9acf636215a6",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "net/can/isotp.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "5.10"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "5.10",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "5.10.76",
        "versionType": "custom",
        "lessThanOrEqual": "5.10.*"
      },
      {
        "status": "unaffected",
        "version": "5.14.15",
        "versionType": "custom",
        "lessThanOrEqual": "5.14.*"
      },
      {
        "status": "unaffected",
        "version": "5.15",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "net/can/isotp.c"
    ],
    "defaultStatus": "affected"
  }
]