Linux Kernel NULL Pointer Dereference Vulnerability in CAN Protocol Handling

A NULL pointer dereference vulnerability has been identified in the Linux kernel's CAN protocol handling. This issue arises in the 'af_can' component when the 'can_rx_register()' function is called without proper initialization of the 'ml_priv' field in the device structure. The vulnerability can be reproduced by creating a netlink socket, establishing a bond link device, and then binding a virtual CAN device to the bond. When the bond device is linked to a CAN socket, the 'can-raw' protocol registration process is triggered. However, due to the lack of proper memory allocation, the 'dev_rcv_lists' is set to NULL, leading to a NULL pointer dereference.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, first create a netlink socket for CAN using the appropriate syscall. Next, create a bond link device and a virtual CAN link device, binding the virtual CAN device to the bond device. After setting up the bond device, create a CAN socket and bind it to the bond device. This process will invoke the CAN raw protocol registration, where the vulnerability can be observed as the system encounters a NULL pointer dereference.