In the Linux kernel, the following vulnerability has been resolved: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access could occur during the memcpy() operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy() operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. Updated the memcpy() operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy() operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. [mkl: rephrase commit message]
Critical vulnerability exists within the Linux kernel's CAN bus J1939 protocol implementation, allowing for out-of-bounds memory access. Successful exploitation could lead to system crashes, information disclosure, or potentially arbitrary code execution, impacting the integrity and availability of affected systems.
Step 1: Trigger Condition: A specially crafted J1939 CAN bus message is sent to a vulnerable system.
Step 2: Function Call: The crafted message triggers the j1939_tp_tx_dat_new() function within the kernel's CAN bus subsystem.
Step 3: Memory Copy: The memcpy() function within j1939_tp_tx_dat_new() attempts to copy data from skb->cb to a buffer.
Step 4: Out-of-Bounds Read: Due to the size calculation error, memcpy() reads beyond the bounds of struct j1939_sk_buff_cb, accessing kernel memory.
Step 5: Impact: The out-of-bounds read can lead to a kernel crash (denial of service), information disclosure (leaking kernel data), or potentially, in a more complex scenario, arbitrary code execution if the attacker can control the contents of the out-of-bounds memory region.
The vulnerability lies within the j1939_tp_tx_dat_new() function, specifically in the memcpy() operation. The flaw stems from an incorrect calculation of the memory copy size. The code uses skb->cb's size instead of the intended struct j1939_sk_buff_cb size. This leads to a buffer over-read when skb->cb is larger than struct j1939_sk_buff_cb, potentially leaking sensitive kernel memory. The fix involves using the correct size for the memcpy() and adding a BUILD_BUG_ON() check to ensure the buffer is large enough. The root cause is a simple coding error, a size mismatch in the memcpy operation, leading to a memory access violation.