CVE-2019-3701

Published: 03 January 2019

An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. The privileged user "root" with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.

From the Ubuntu security team

Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code.

Priority

Negligible

CVSS 3 base score: 4.4

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-60.67)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.4.0-145.171)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
Patches:
Introduced by c1aabdf379bc2feeb0df7057ed5bad96f492133e
Fixed by 0aaa81377c5a01f686bcdb8c7a6929a7bf330c68
linux-aws
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1047.49)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.4.0-1079.89)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (4.4.0-1040.43)
linux-aws-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1021.24~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1047.49~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-azure
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1014.14~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1056.61)
Ubuntu 14.04 ESM (Trusty Tahr) Ignored
(was needed ESM criteria)
linux-azure-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1007.8~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-1014.14~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1056.61)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-euclid
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(was needs-triage ESM criteria)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-flo
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-gcp
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1042.45)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1041.43)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gcp-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1008.9~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1042.45)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke-4.15
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1041.43)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1011.11~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-goldfish
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-grouper
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-hwe
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.0.0-23.24~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-60.67~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-hwe-edge
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-15.16~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-60.67~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-kvm
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1043.43)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.4.0-1043.49)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-trusty
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-lts-utopic
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-vivid
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-wily
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [end-of-life])
linux-lts-xenial
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (4.4.0-144.170~14.04.1)
linux-maguro
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-mako
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(abandoned)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-manta
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was ignored [abandoned])
linux-oem
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1056.65)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(was needs-triage now end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oem-5.4
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1010.11)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1022.25)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.15.0-1022.25~16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-oracle-5.0
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.0.0-1007.12~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1044.47)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.4.0-1106.114)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-raspi2-5.3
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.3.0-1017.19~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
Upstream
Released (5.0~rc3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.15.0-1062.69)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.4.0-1110.115)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist