Linux Kernel Out-of-Bounds Memory Access Vulnerability in J1939 Transport Function

A vulnerability in the Linux kernel's handling of the SAE J1939 protocol can lead to out-of-bounds memory access. This issue arises in the 'j1939_tp_tx_dat_new()' function, where the 'memcpy()' operation may read beyond the intended memory bounds. The problem occurs if the size of 'skb->cb' exceeds that of 'struct j1939_sk_buff_cb', as 'memcpy()' uses the size of 'skb->cb', causing a read overflow. The vulnerability has been addressed by modifying the 'memcpy()' operation to reference the size of 'struct j1939_sk_buff_cb', ensuring that memory is only read within safe limits. Additionally, a compile-time check has been introduced to verify that 'skb->cb' is sufficiently large to accommodate the 'j1939_sk_buff_cb' structure.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing data to be read outside the allocated bounds, potentially causing undefined behavior or crashes.

Reproduction

The vulnerability can be reproduced by sending a CAN frame that triggers the 'j1939_tp_tx_dat_new()' function with a 'skb->cb' size larger than 'struct j1939_sk_buff_cb'. This can be done by manipulating the CAN protocol data to exceed the expected limits, causing the 'memcpy()' operation to read beyond the allocated memory for the J1939 control block.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.