About CVE-2022-28390 – Linux kernel 5.17.1 found design flaw in can/usb interface driver (4th Apr 2022)

Preface: If the workstation is running in Linux kernel 5.17.1, due to this vulnerability (CVE-2022-28390). The adjacent communications peer device will be at risk. As a result, it allowing an attacker to execute arbitrary code to adjacent communications peer device.

Background: The CANbus USB adapter connects a CANbus to the USB port of a PC or notebook, which also supplies the power to the adapter (no power supply needed). The CAN/USB Data Converter allows a personal computer to act as a diagnostic analyzer during development and testing of an automotive ECU (electronic control unit) or industrial field bus system that supports the CAN communications protocol.

Vulnerability details: ems_usb_start_xmit in drivers/net/can/usb/ems_usb[.]c in the Linux kernel through 5.17.1 has a double free. Doubly freeing memory may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

According to Developer (Hangyu Hua) explanation. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes the original skb and can_free_echo_skb() deletes the cloned skb.

Known Limitations: dev_kfree_skb() is just a macro that simply calls kfree_skb(). kfree_skb bypasses the reference count of skb. Generally speaking, adding “” before the function name in the kernel prompts to be used with caution, that is, some checks are omitted, so check before calling such functions.

Solution: upgrade to v5.18-rc1.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.