CVE-2022-28389 Overview
CVE-2022-28389 is a Double Free vulnerability in the Linux kernel's MCBA USB CAN (Controller Area Network) driver. The flaw exists in the mcba_usb_start_xmit function within drivers/net/can/usb/mcba_usb.c, affecting Linux kernel versions through 5.17.1. This memory corruption issue occurs in the error handling path when transmitting CAN frames over USB, where the socket buffer (skb) can be freed twice, leading to kernel memory corruption and potential denial of service.
Critical Impact
Local attackers with low privileges can exploit this double free vulnerability to crash the kernel or potentially achieve memory corruption, affecting systems utilizing Microchip CAN BUS Analyzer USB devices.
Affected Products
- Linux Kernel through version 5.17.1
- Fedora 34, 35, and 36
- Debian Linux 10.0 and 11.0
- NetApp H-Series (H300S, H500S, H700S, H300E, H500E, H700E, H410S, H410C) firmware
Discovery Timeline
- 2022-04-03 - CVE-2022-28389 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-28389
Vulnerability Analysis
The vulnerability resides in the MCBA USB driver's transmit function mcba_usb_start_xmit(). When an error occurs during the transmission of CAN frames, the code path performs cleanup operations that include freeing the socket buffer (skb). However, the error handling code contained a flaw where dev_kfree_skb(skb) was explicitly called in the xmit_failed label, even though the socket buffer had already been freed through can_free_echo_skb() as part of the CAN subsystem's echo mechanism.
This double free condition occurs because the CAN networking layer maintains an echo buffer that tracks transmitted frames for loopback purposes. When can_free_echo_skb() is called during error handling, it properly deallocates the associated skb. The subsequent explicit call to dev_kfree_skb(skb) then attempts to free the same memory region a second time, corrupting kernel heap metadata.
Root Cause
The root cause is improper memory management in the error handling path of mcba_usb_start_xmit(). The CAN subsystem's can_free_echo_skb() function already handles the deallocation of the socket buffer when cleaning up a failed transmission. The redundant call to dev_kfree_skb(skb) in the xmit_failed error label creates a CWE-415 (Double Free) condition. This type of vulnerability can lead to use-after-free scenarios, heap corruption, and unpredictable kernel behavior.
Attack Vector
This is a local attack vector requiring low privileges to exploit. An attacker would need:
- Local access to a system with a Microchip CAN BUS Analyzer USB device connected
- The ability to trigger transmission errors through the CAN interface
- Sufficient privileges to interact with the network device
By crafting specific conditions that cause transmission failures, an attacker can repeatedly trigger the double free, potentially corrupting kernel memory structures and causing system instability or denial of service.
// Security patch removing the redundant dev_kfree_skb call
// Source: https://github.com/torvalds/linux/commit/04c9b00ba83594a29813d6b1fb8fdc93a3915174
xmit_failed:
can_free_echo_skb(priv->netdev, ctx->ndx, NULL);
mcba_usb_free_ctx(ctx);
- dev_kfree_skb(skb);
stats->tx_dropped++;
return NETDEV_TX_OK;
Source: GitHub Linux Commit Update
Detection Methods for CVE-2022-28389
Indicators of Compromise
- Unexpected kernel crashes or panics involving the mcba_usb module
- Kernel log messages referencing double free errors in mcba_usb_start_xmit
- System instability when using Microchip CAN BUS Analyzer USB devices
- Memory corruption warnings in kernel ring buffer (dmesg) related to CAN operations
Detection Strategies
- Monitor kernel logs for KASAN (Kernel Address Sanitizer) reports indicating double free in mcba_usb.c
- Implement kernel module integrity monitoring for the mcba_usb driver
- Deploy endpoint detection to identify unusual CAN interface activity patterns
- Use crash dump analysis to identify double free stack traces in the mcba_usb module
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture exploitation attempts
- Monitor for repeated CAN transmission failures that could indicate exploitation activity
- Configure syslog alerts for kernel oops or panic messages mentioning mcba_usb
- Track USB device hotplug events for CAN analyzers on sensitive systems
How to Mitigate CVE-2022-28389
Immediate Actions Required
- Update the Linux kernel to a patched version that includes commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174
- Apply distribution-specific security updates from Debian (DSA-5127, DSA-5173), Fedora, or your vendor
- If immediate patching is not possible, consider unloading the mcba_usb kernel module
- Review and restrict physical access to systems with CAN USB devices
Patch Information
The vulnerability has been addressed in the upstream Linux kernel through commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174. The fix removes the redundant dev_kfree_skb(skb) call from the xmit_failed error path, as the socket buffer is already freed by can_free_echo_skb(). Security advisories have been issued by Debian (DSA-5127), Debian (DSA-5173), and NetApp.
Workarounds
- Blacklist the mcba_usb kernel module if CAN BUS Analyzer functionality is not required
- Restrict access to the affected CAN network interfaces using proper permissions
- Implement network namespace isolation to limit CAN interface exposure
- Monitor and limit users who can load or interact with USB CAN devices
# Configuration example - Blacklist the mcba_usb module
echo "blacklist mcba_usb" | sudo tee /etc/modprobe.d/blacklist-mcba_usb.conf
sudo update-initramfs -u
# Verify module is not loaded
lsmod | grep mcba_usb
# If loaded, remove the module
sudo modprobe -r mcba_usb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
