Linux Kernel ETAS ES58X CAN Driver Buffer Overflow Vulnerability via Invalid MTU Configuration

A buffer overflow vulnerability has been identified in the Linux kernel's ETAS ES58X CAN USB driver. This issue arises because the driver does not properly handle changes to the Maximum Transmission Unit (MTU) settings. An attacker can exploit this by setting an excessively high MTU, which the driver fails to validate. Subsequently, the attacker can use a raw packet socket to inject malicious CAN XL frames. The driver's transmission function misinterprets these frames, leading to a buffer overflow. Specifically, the ES581.4 variant of the driver is affected, as it processes the injected frames in a way that allows for a significant overflow of 247 bytes.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, first set an invalid MTU on the 'can0' interface using the 'ip link' command. Then, open a raw packet socket with the 'PF_PACKET' family and 'ETH_P_CANXL' protocol to send malicious CAN XL frames. The injected frames will bypass the CAN framework's validation checks and be processed by the vulnerable driver, causing the buffer overflow.

Remediation

The vulnerability has been addressed in the Linux kernel by updating the ETAS ES58X driver to properly manage MTU changes. Users should upgrade to the latest version of the Linux kernel where this fix is available.