CVE-2022-48830 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: fix potential CAN frame reception race in isotp_rcv()
When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage.
Ziyang Xuan writes:
The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put().
======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: skb_over_panic net/core/skbuff.c:118 [inline]
skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline]
isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline]
can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579
Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/12/2025
The vulnerability CVE-2022-48830 resides within the Linux kernel's CAN (Controller Area Network) protocol implementation, specifically in the ISO Transport Protocol (ISOTP) layer responsible for handling CAN frame reception. This issue manifests as a race condition during the processing of CAN frames, where concurrent access to shared data structures creates a potential for system instability and memory corruption. The vulnerability was identified through syzkaller, an automated fuzzer that systematically tests kernel code paths to uncover concurrency issues and memory safety problems. The flaw occurs in the isotp_rcv() function which processes incoming CAN frames, particularly when handling first frames (FF) and consecutive frames (CF) in rapid succession or in concurrent execution contexts.
The technical root cause stems from improper synchronization mechanisms within the ISOTP frame reception logic. During the processing sequence, isotp_rcv_ff() modifies the so->rx.len field to indicate the expected frame length, while isotp_rcv_cf() attempts to allocate memory for the frame data using alloc_skb(). The race condition occurs because the length value changes between the time it's checked before alloc_skb() and when it's validated after allocation, leading to a situation where skb_put() receives an invalid length parameter that exceeds the allocated buffer space. This triggers the skb_over_panic() function which is designed to detect buffer overruns and prevents memory corruption from propagating further, but the underlying race condition remains a serious stability concern.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential vector for denial-of-service attacks against systems relying on CAN communication for critical functions. The CAN bus is extensively used in automotive systems, industrial control environments, and embedded devices where reliable communication is paramount. When a race condition occurs in the ISOTP layer, it can cause kernel oops, system hangs, or unpredictable behavior that could compromise the safety and reliability of connected systems. This vulnerability is particularly concerning in automotive contexts where CAN frames carry critical safety-related information, and any instability in frame reception could lead to vehicle malfunctions or security breaches. The race condition affects the kernel's ability to properly handle concurrent frame processing, potentially causing data loss or incorrect frame interpretation that could have cascading effects throughout the connected system.
The fix implemented addresses this race condition by introducing a spin_lock mechanism within the isotp_rcv() function to ensure atomic access to the shared data structures during frame reception. This synchronization approach prevents concurrent processes from modifying the rx.len field and other critical state variables while frame processing is underway, maintaining data consistency throughout the entire reception cycle. The solution follows established kernel development practices for handling concurrent access to shared resources, ensuring that the fix does not alter the normal operational behavior of the ISOTP protocol while providing the necessary protection against race conditions. This approach aligns with CWE-362, which addresses race conditions in concurrent programming, and follows ATT&CK technique T1499.004 for defensive measures against system resource manipulation. The fix maintains backward compatibility while strengthening the kernel's resilience against concurrent access patterns that could previously lead to memory corruption and system instability. The implementation ensures that all frame reception operations proceed in a controlled manner without compromising the real-time requirements of CAN communication systems while providing the necessary synchronization to prevent the reported race condition scenario.