{"id":"CVE-2022-48830","summary":"can: isotp: fix potential CAN frame reception race in isotp_rcv()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: fix potential CAN frame reception race in isotp_rcv()\n\nWhen receiving a CAN frame the current code logic does not consider\nconcurrently receiving processes which do not show up in real world\nusage.\n\nZiyang Xuan writes:\n\nThe following syz problem is one of the scenarios. so-\u003erx.len is\nchanged by isotp_rcv_ff() during isotp_rcv_cf(), so-\u003erx.len equals\n0 before alloc_skb() and equals 4096 after alloc_skb(). That will\ntrigger skb_over_panic() in skb_put().\n\n=======================================================\nCPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0\nRIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113\nCall Trace:\n \u003cTASK\u003e\n skb_over_panic net/core/skbuff.c:118 [inline]\n skb_put.cold+0x24/0x24 net/core/skbuff.c:1990\n isotp_rcv_cf net/can/isotp.c:570 [inline]\n isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668\n deliver net/can/af_can.c:574 [inline]\n can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635\n can_receive+0x31d/0x580 net/can/af_can.c:665\n can_rcv+0x120/0x1c0 net/can/af_can.c:696\n __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465\n __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579\n\nTherefore we make sure the state changes and data structures stay\nconsistent at CAN frame reception time by adding a spin_lock in\nisotp_rcv(). This fixes the issue reported by syzkaller but does not\naffect real world operation.","modified":"2026-03-20T12:21:55.680631Z","published":"2024-07-16T11:44:13.987Z","related":["ALSA-2025:20518","SUSE-SU-2024:2894-1","SUSE-SU-2024:2902-1","SUSE-SU-2024:2929-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48830.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48830.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48830"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e057dd3fc20ffb3d7f150af46542a51b59b90127"},{"fixed":"7b53d2204ce79b27a878074a77d64f40ec21dbca"},{"fixed":"f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3"},{"fixed":"5b068f33bc8acfcfd5ea7992a2dafb30d89bad30"},{"fixed":"7c759040c1dd03954f650f147ae7175476d51314"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48830.json"}}],"schema_version":"1.7.5"}