Linux Kernel Kvaser PCIEFD Echo SKB Handling Vulnerability Leading to Out-of-Bounds Memory Access

A vulnerability in the Linux kernel's Kvaser PCIe FD CAN driver has been identified, related to improper handling of the echo_skb_max parameter. The issue arises because the driver allocates an array for echo_skb based on a maximum transmission count of 17, but this value is then rounded up to 32. This discrepancy can lead to the transmission and acknowledgment indices exceeding the allocated array boundary, causing a slab-out-of-bounds memory access. The Linux Verification Center discovered this vulnerability using Syzkaller.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds memory access, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by using the Kvaser PCIe FD CAN driver in the Linux kernel. When the driver allocates the echo_skb array, the maximum transmission count is set to 17. However, the echo_skb_max parameter is rounded up to 32, allowing the transmission and acknowledgment indices to exceed the allocated memory boundary. This out-of-bounds access is reported by the Kernel Address Sanitizer (KASAN) as a slab-out-of-bounds error.