Linux Kernel KMSAN Uninitialized Value Vulnerability in CAN BCM Transmission Setup

A vulnerability has been identified in the Linux kernel's CAN BCM (Broadcast Communication Management) implementation, specifically within the 'bcm_tx_setup' function. This issue, reported by Syzkaller, involves the handling of asynchronous I/O operations. The vulnerability arises because the 'bcm_tx_setup' function copies data from a message into a frame structure using 'memcpy_from_msg'. If this function encounters an error, the code compares a length field with a constant, potentially leading to the use of uninitialized memory. This flaw creates a 'KMSAN' (Kernel Memory Sanitizer) uninitialized value bug, where the kernel's memory sanitizer detects the use of data that has not been properly initialized. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to undefined behavior in the kernel, as it allows for the use of uninitialized memory, which can be manipulated to cause various types of kernel-level issues, such as memory corruption or incorrect program behavior.

Reproduction

The vulnerability can be reproduced by sending a CAN message that triggers the 'bcm_tx_setup' function in the BCM CAN driver. This can be done using a tool like Syzkaller, which is designed to find and exploit vulnerabilities in kernel code. The specific sequence of operations involves submitting an I/O request that the BCM driver processes, during which the uninitialized memory issue occurs.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.