Headline
CVE-2022-2741: can: denial-of-service can be triggered by a crafted CAN frame
The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).
Impact
During investigation of #47204 I discovered that this particular bug can be used for remote denial-of-service via CAN for MCUs using the Bosch M_CAN driver back-end for CAN communication.
This driver back-end is used for at least the NXP LPCxpresso5500 series, the ST STM32H7 series, ST STM32G4 series, ST STM32U5 series, Atmel SAME70 series, and Atmel SAMV71 series.
The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must
contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).
This carefully crafted frame will cause the Bosch M_CAN driver back-end interrupt service routine to enter an endless loop since the frame “wrongly" matching the filter is never acknowledged and thus keeps being read from the hardware FIFO.
Patches
- main: #47903
- v3.1: #47957
- v3.0: #47958
- v2.7: #47959
For more information
If you have any questions or comments about this advisory:
- Open an issue in zephyr
- Email us at Zephyr-vulnerabilities
embargo: 2022-10-14