Linux Kernel ISOTP Socket Buffer Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's CAN ISOTP (ISO 15765-2) implementation. The issue arises in the 'isotp_sendmsg()' function, which improperly serializes access to the transmission buffer ('so->tx.buf') of the socket. The 'isotp_release()' function waits for the socket to be idle before freeing the transmission buffer. However, if a signal interrupts this wait while the state is still sending, the buffer can be freed prematurely. This can lead to a situation where 'isotp_sendmsg()' is still reading from the buffer while it has already been freed, causing a use-after-free condition.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, which may be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by sending a CAN frame that interrupts the 'isotp_release()' function while 'isotp_sendmsg()' is still processing the transmission. This can be done by sending a signal that interrupts the wait event, causing 'isotp_release()' to free the transmission buffer before 'isotp_sendmsg()' has finished using it.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.