Linux Kernel CAN Netlink NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's CAN netlink implementation. This issue occurs when a CAN device is manually restarted from a 'Bus Off' state, and the corresponding driver does not provide a specific callback function. The vulnerability can be triggered through direct user-space commands or by automatic restarts after a 'Bus Off' event, which is typically disabled by default. The absence of the required callback leads to an unhandled NULL pointer dereference, potentially causing a system crash.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a system crash.

Reproduction

To reproduce this vulnerability, manually restart a CAN device that is in a 'Bus Off' state using the 'can_changelink()' function. Ensure that the device's driver does not implement the 'struct can_priv::do_set_mode' callback. Alternatively, allow the device to undergo a delayed automatic restart after 'Bus Off', which can be activated in the 'can_changelink()' function'.

Remediation

The vulnerability has been addressed in Linux kernel commits '0ca816a96fdcf32644c80cbe7a82c7b6ce6ddda5', '6acceb46180f9e160d4f0c56fcaf39ba562822ae', '6bbcf37c5114926c99a1d1e6993a5b35689d2599', and 'cf81a60a973358dea163f6b14062f17831ceb894'. Users should upgrade to the latest version of the Linux kernel stable tree.