Linux Kernel CAN Raw Socket Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the raw CAN socket implementation of the Linux kernel. This issue arises in the 'raw_rcv()' function, where the 'raw_release()' function unregisters CAN receive filters but defers the deletion of the receiver. As a result, 'raw_rcv()' may still be executing in a read-side critical section after 'raw_release()' has freed the unique per-CPU storage, leading to a use-after-free condition. The vulnerability affects the Linux kernel stable tree, specifically versions 4.1 and later.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing for potential memory corruption.

Reproduction

The vulnerability can be reproduced by creating a raw CAN socket and registering a receive filter. While the socket is actively receiving frames, the socket can be closed, which triggers the 'raw_release()' function. This function frees the unique per-CPU storage but does not immediately remove the receive filter, leaving a window where the 'raw_rcv()' function can still be called, leading to a use-after-free condition.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.