Bug 1210627 (CVE-2023-2166) - VUL-0: CVE-2023-2166: kernel: NULL pointer dereference in can_rcv_filter
Summary: VUL-0: CVE-2023-2166: kernel: NULL pointer dereference in can_rcv_filter
Status: RESOLVED FIXED
Alias: CVE-2023-2166
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363822/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-2166:5.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-19 08:33 UTC by Alexander Bergmann
Modified: 2024-06-25 17:36 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-04-19 08:33:58 UTC 
CVE-2023-2166

A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.

Affected component: can protocol

References:
https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-2metecpTuE5kKHn5w@mail.gmail.com/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0acc442309a0a1b01bcdaa135e56e6398a49439c

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2166
https://bugzilla.redhat.com/show_bug.cgi?id=2187813
Comment 1 Joey Lee 2023-04-20 06:42:27 UTC 
(In reply to Alexander Bergmann from comment #0)
> CVE-2023-2166
> 
> A null pointer dereference issue was found in can protocol in
> net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized
> in the receive path of CAN frames. A local user could use this flaw to crash
> the system or potentially cause a denial of service.
> 
> Affected component: can protocol
> 
> References:
> https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-
> 2metecpTuE5kKHn5w@mail.gmail.com/
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> ?id=0acc442309a0a1b01bcdaa135e56e6398a49439c
> 

commit 0acc442309a0a1b01bcdaa135e56e6398a49439c    [v6.1~9^2~8^2~3]
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Tue Dec 6 21:12:59 2022 +0100

    can: af_can: fix NULL pointer dereference in can_rcv_filter

issue patch:
commit 4e096a18867a5a989b510f6999d9c6b6622e8f7b    [v5.12-rc1-dontuse~33^2~9]      
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Tue Feb 23 08:01:26 2021 +0100

    net: introduce CAN specific pointer in the struct net_device

15-SP3  5.3     [NOT affect]
15-SP4  5.14    [affect]
15-SP5  5.14    [affect]
stable  6.2     [OK]

I didn't see net/can maintainer in our list:
https://wiki.suse.net/index.php/SUSE-Labs_Publications/Linux_Kernel_Maintainers#SUSE_Kernel_Teams

I will backport the patch to 15-SP4/SP5.
Comment 2 Joey Lee 2023-04-28 09:07:27 UTC 
(In reply to Joey Lee from comment #1)
> (In reply to Alexander Bergmann from comment #0)
> > CVE-2023-2166
> > 
> > A null pointer dereference issue was found in can protocol in
> > net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized
> > in the receive path of CAN frames. A local user could use this flaw to crash
> > the system or potentially cause a denial of service.
> > 
> > Affected component: can protocol
> > 
> > References:
> > https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-
> > 2metecpTuE5kKHn5w@mail.gmail.com/
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > ?id=0acc442309a0a1b01bcdaa135e56e6398a49439c
> > 
> 
> commit 0acc442309a0a1b01bcdaa135e56e6398a49439c    [v6.1~9^2~8^2~3]
> Author: Oliver Hartkopp <socketcan@hartkopp.net>
> Date:   Tue Dec 6 21:12:59 2022 +0100
> 
>     can: af_can: fix NULL pointer dereference in can_rcv_filter
> 
> issue patch:
> commit 4e096a18867a5a989b510f6999d9c6b6622e8f7b   
> [v5.12-rc1-dontuse~33^2~9]      
> Author: Oleksij Rempel <o.rempel@pengutronix.de>
> Date:   Tue Feb 23 08:01:26 2021 +0100
> 
>     net: introduce CAN specific pointer in the struct net_device
> 
> 15-SP3  5.3     [NOT affect]
> 15-SP4  5.14    [affect]
> 15-SP5  5.14    [affect]
> stable  6.2     [OK]
> 
> I didn't see net/can maintainer in our list:
> https://wiki.suse.net/index.php/SUSE-Labs_Publications/
> Linux_Kernel_Maintainers#SUSE_Kernel_Teams
> 
> I will backport the patch to 15-SP4/SP5.

Not good! Many net/can patches must be backported for 0acc442309a0. I am looking at how to simplify it
Comment 6 Joey Lee 2023-08-02 06:25:26 UTC 
(In reply to Joey Lee from comment #2)
> (In reply to Joey Lee from comment #1)
> > (In reply to Alexander Bergmann from comment #0)
> > > CVE-2023-2166
> > > 
> > > A null pointer dereference issue was found in can protocol in
> > > net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized
> > > in the receive path of CAN frames. A local user could use this flaw to crash
> > > the system or potentially cause a denial of service.
> > > 
> > > Affected component: can protocol
> > > 
> > > References:
> > > https://lore.kernel.org/lkml/CAO4mrfcV_07hbj8NUuZrA8FH-kaRsrFy-
> > > 2metecpTuE5kKHn5w@mail.gmail.com/
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/
> > > ?id=0acc442309a0a1b01bcdaa135e56e6398a49439c
> > > 
> > 
> > commit 0acc442309a0a1b01bcdaa135e56e6398a49439c    [v6.1~9^2~8^2~3]
> > Author: Oliver Hartkopp <socketcan@hartkopp.net>
> > Date:   Tue Dec 6 21:12:59 2022 +0100
> > 
> >     can: af_can: fix NULL pointer dereference in can_rcv_filter
> > 
> > issue patch:
> > commit 4e096a18867a5a989b510f6999d9c6b6622e8f7b   
> > [v5.12-rc1-dontuse~33^2~9]      
> > Author: Oleksij Rempel <o.rempel@pengutronix.de>
> > Date:   Tue Feb 23 08:01:26 2021 +0100
> > 
> >     net: introduce CAN specific pointer in the struct net_device
> > 
> > 15-SP3  5.3     [NOT affect]
> > 15-SP4  5.14    [affect]
> > 15-SP5  5.14    [affect]
> > stable  6.2     [OK]
> > 
> > I didn't see net/can maintainer in our list:
> > https://wiki.suse.net/index.php/SUSE-Labs_Publications/
> > Linux_Kernel_Maintainers#SUSE_Kernel_Teams
> > 
> > I will backport the patch to 15-SP4/SP5.
> 
> Not good! Many net/can patches must be backported for 0acc442309a0. I am
> looking at how to simplify it

Update status:

15-SP4  5.14    [sent]
15-SP5  5.14    [sent]

The 0acc442309a0 patch needs 96a7457a14d9 patch, but then we need to backport
many patches with big change of net/can from v6.0. For avoiding
96a7457a14d9 backporting, I have modified that patch when backporting:

- Still using skb->len != CAN_MTU instread of !can_is_can_skb(skb)

- Removed canxl_rcv part because it needs fb08cba12b52cb patch
Comment 26 Joey Lee 2023-08-14 05:03:01 UTC 
Update status:

15-SP4  5.14    [merged]
15-SP5  5.14    [merged]

reset assigner.
Comment 27 Maintenance Automation 2023-08-14 08:30:09 UTC 
SUSE-SU-2023:3302-1: An update that solves 28 vulnerabilities, contains two features and has 115 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1187829, 1193629, 1194869, 1206418, 1207129, 1207894, 1207948, 1208788, 1210335, 1210565, 1210584, 1210627, 1210780, 1210825, 1210853, 1211014, 1211131, 1211243, 1211738, 1211811, 1211867, 1212051, 1212256, 1212265, 1212301, 1212445, 1212456, 1212502, 1212525, 1212603, 1212604, 1212685, 1212766, 1212835, 1212838, 1212842, 1212846, 1212848, 1212861, 1212869, 1212892, 1212901, 1212905, 1212961, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213116, 1213134, 1213167, 1213205, 1213206, 1213226, 1213233, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213272, 1213286, 1213287, 1213304, 1213417, 1213493, 1213523, 1213524, 1213533, 1213543, 1213578, 1213585, 1213586, 1213588, 1213601, 1213620, 1213632, 1213653, 1213705, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871, 1213872
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-1829, CVE-2023-20569, CVE-2023-20593, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-2430, CVE-2023-2985, CVE-2023-3090, CVE-2023-31083, CVE-2023-3111, CVE-2023-3117, CVE-2023-31248, CVE-2023-3212, CVE-2023-3268, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812, CVE-2023-38409, CVE-2023-3863, CVE-2023-4004
Jira References: PED-4718, PED-4758
Sources used:
openSUSE Leap 15.5 (src): kernel-livepatch-SLE15-SP5-RT_Update_3-1-150500.11.5.1, kernel-syms-rt-5.14.21-150500.13.11.1, kernel-source-rt-5.14.21-150500.13.11.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_3-1-150500.11.5.1
SUSE Real Time Module 15-SP5 (src): kernel-syms-rt-5.14.21-150500.13.11.1, kernel-source-rt-5.14.21-150500.13.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Maintenance Automation 2023-08-14 16:30:14 UTC 
SUSE-SU-2023:3313-1: An update that solves 13 vulnerabilities and has 20 fixes can now be installed.

Category: security (important)
Bug References: 1206418, 1207129, 1210627, 1210780, 1211131, 1211738, 1212502, 1212604, 1212901, 1213167, 1213272, 1213287, 1213304, 1213585, 1213586, 1213588, 1213620, 1213653, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213842, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-31083, CVE-2023-3268, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-4004
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3
Basesystem Module 15-SP4 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3, kernel-source-5.14.21-150400.24.81.1
Development Tools Module 15-SP4 (src): kernel-source-5.14.21-150400.24.81.1, kernel-syms-5.14.21-150400.24.81.1, kernel-obs-build-5.14.21-150400.24.81.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_16-1-150400.9.3.3
openSUSE Leap 15.4 (src): kernel-obs-qa-5.14.21-150400.24.81.1, kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3, kernel-syms-5.14.21-150400.24.81.1, kernel-source-5.14.21-150400.24.81.1, kernel-obs-build-5.14.21-150400.24.81.1, kernel-livepatch-SLE15-SP4_Update_16-1-150400.9.3.3
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.81.1.150400.24.35.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Maintenance Automation 2023-08-14 16:30:29 UTC 
SUSE-SU-2023:3311-1: An update that solves 15 vulnerabilities and has 27 fixes can now be installed.

Category: security (important)
Bug References: 1206418, 1207129, 1207948, 1210627, 1210780, 1210825, 1211131, 1211738, 1211811, 1212445, 1212502, 1212604, 1212766, 1212901, 1213167, 1213272, 1213287, 1213304, 1213417, 1213578, 1213585, 1213586, 1213588, 1213601, 1213620, 1213632, 1213653, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871, 1213872
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-31083, CVE-2023-3268, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-38409, CVE-2023-3863, CVE-2023-4004
Sources used:
openSUSE Leap 15.5 (src): kernel-syms-5.14.21-150500.55.19.1, kernel-default-base-5.14.21-150500.55.19.1.150500.6.6.4, kernel-livepatch-SLE15-SP5_Update_3-1-150500.11.3.4, kernel-source-5.14.21-150500.55.19.1, kernel-obs-qa-5.14.21-150500.55.19.1, kernel-obs-build-5.14.21-150500.55.19.1
Basesystem Module 15-SP5 (src): kernel-default-base-5.14.21-150500.55.19.1.150500.6.6.4, kernel-source-5.14.21-150500.55.19.1
Development Tools Module 15-SP5 (src): kernel-obs-build-5.14.21-150500.55.19.1, kernel-syms-5.14.21-150500.55.19.1, kernel-source-5.14.21-150500.55.19.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_3-1-150500.11.3.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2023-08-15 12:30:05 UTC 
SUSE-SU-2023:3318-1: An update that solves 20 vulnerabilities and has 89 fixes can now be installed.

Category: security (important)
Bug References: 1150305, 1193629, 1194869, 1206418, 1207129, 1207894, 1208788, 1210565, 1210584, 1210627, 1210780, 1210853, 1211131, 1211243, 1211738, 1211811, 1211867, 1212301, 1212502, 1212604, 1212846, 1212901, 1212905, 1213010, 1213011, 1213012, 1213013, 1213014, 1213015, 1213016, 1213017, 1213018, 1213019, 1213020, 1213021, 1213024, 1213025, 1213032, 1213034, 1213035, 1213036, 1213037, 1213038, 1213039, 1213040, 1213041, 1213059, 1213061, 1213087, 1213088, 1213089, 1213090, 1213092, 1213093, 1213094, 1213095, 1213096, 1213098, 1213099, 1213100, 1213102, 1213103, 1213104, 1213105, 1213106, 1213107, 1213108, 1213109, 1213110, 1213111, 1213112, 1213113, 1213114, 1213134, 1213167, 1213245, 1213247, 1213252, 1213258, 1213259, 1213263, 1213264, 1213272, 1213286, 1213287, 1213304, 1213523, 1213524, 1213543, 1213585, 1213586, 1213588, 1213620, 1213653, 1213705, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-20593, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-2985, CVE-2023-31083, CVE-2023-3117, CVE-2023-31248, CVE-2023-3268, CVE-2023-3390, CVE-2023-35001, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-3812, CVE-2023-4004
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-rt-5.14.21-150400.15.46.1, kernel-source-rt-5.14.21-150400.15.46.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4-RT_Update_11-1-150400.1.5.1
SUSE Real Time Module 15-SP4 (src): kernel-syms-rt-5.14.21-150400.15.46.1, kernel-source-rt-5.14.21-150400.15.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Maintenance Automation 2023-08-22 16:30:03 UTC 
SUSE-SU-2023:3376-1: An update that solves 15 vulnerabilities and has 27 fixes can now be installed.

Category: security (important)
Bug References: 1206418, 1207129, 1207948, 1210627, 1210780, 1210825, 1211131, 1211738, 1211811, 1212445, 1212502, 1212604, 1212766, 1212901, 1213167, 1213272, 1213287, 1213304, 1213417, 1213578, 1213585, 1213586, 1213588, 1213601, 1213620, 1213632, 1213653, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871, 1213872
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-31083, CVE-2023-3268, CVE-2023-3567, CVE-2023-3609, CVE-2023-3611, CVE-2023-3776, CVE-2023-38409, CVE-2023-3863, CVE-2023-4004
Sources used:
openSUSE Leap 15.5 (src): kernel-syms-azure-5.14.21-150500.33.14.1, kernel-source-azure-5.14.21-150500.33.14.1
Public Cloud Module 15-SP5 (src): kernel-syms-azure-5.14.21-150500.33.14.1, kernel-source-azure-5.14.21-150500.33.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Maintenance Automation 2023-08-22 20:30:13 UTC 
SUSE-SU-2023:3377-1: An update that solves 11 vulnerabilities and has 19 fixes can now be installed.

Category: security (important)
Bug References: 1206418, 1207129, 1210627, 1210780, 1211131, 1211738, 1212502, 1212604, 1212901, 1213167, 1213272, 1213287, 1213304, 1213588, 1213620, 1213653, 1213713, 1213715, 1213747, 1213756, 1213759, 1213777, 1213810, 1213812, 1213856, 1213857, 1213863, 1213867, 1213870, 1213871
CVE References: CVE-2022-40982, CVE-2023-0459, CVE-2023-20569, CVE-2023-21400, CVE-2023-2156, CVE-2023-2166, CVE-2023-31083, CVE-2023-3268, CVE-2023-3567, CVE-2023-3776, CVE-2023-4004
Sources used:
openSUSE Leap 15.4 (src): kernel-source-azure-5.14.21-150400.14.63.1, kernel-syms-azure-5.14.21-150400.14.63.1
Public Cloud Module 15-SP4 (src): kernel-source-azure-5.14.21-150400.14.63.1, kernel-syms-azure-5.14.21-150400.14.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Robert Frohl 2024-05-06 12:34:27 UTC 
done, closing