Linux Kernel mcba_usb Driver Buffer Overflow Vulnerability via Invalid MTU Configuration

A buffer overflow vulnerability has been identified in the Linux kernel's mcba_usb CAN driver. This issue arises because the driver does not properly handle changes to the Maximum Transmission Unit (MTU) settings. An attacker can exploit this by setting an excessively high MTU, which the driver fails to validate. Subsequently, the attacker can use a raw packet socket to inject malicious CAN XL frames. The driver's transmission function misinterprets these frames, leading to a buffer overflow. Specifically, the driver can be tricked into processing a frame length that exceeds safe limits, causing a buffer overflow of 247 bytes.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to arbitrary code execution or a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, first set an invalid MTU on the 'can0' interface using the 'ip link' command. Then, open a raw packet socket with the 'PF_PACKET' family and 'SOCK_RAW' type, specifying the 'ETH_P_CANXL' protocol. After the socket is open, inject a CAN XL frame with a length of 2048 bytes, which exceeds the maximum expected length. The injected frame will bypass the driver's validation checks and be misinterpreted as a standard CAN frame, triggering the buffer overflow.

Remediation

The vulnerability has been addressed by updating the mcba_usb driver to properly handle MTU changes. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.