CVE-2023-54105

The Linux kernel's CAN ISOTP (ISO 15765-2) socket implementation did not verify that the address family passed to isotp_bind() is AF_CAN. The bind() system call accepted any sockaddr structure that matched the expected size, even if the address family field (e.g., AF_XDP, value 0x2C) was incorrect. This lack of validation meant that binds from non-CAN sockets (such as those created by syzkaller) were incorrectly allowed.

Exploitation of this issue requires the ability to create sockets and issue bind system calls, which is available to any unprivileged user on the system. By submitting a crafted sockaddr with a valid size but an arbitrary address family (e.g., AF_XDP), an attacker could make isotp_bind() succeed without actually establishing a CAN association. The kernel would not reject the incorrect address family, and no functional impact resulted from this mismatch.

While this vulnerability has no practical security impact—no code execution, privilege escalation, or denial of service is possible—it violates the principle that userspace should be notified of invalid address family usage. The fix adds a missing check to return an error code (EAFNOSUPPORT) when the address family is not AF_CAN, ensuring proper validation and returning meaningful feedback to the caller [1][2].

The Linux kernel stable branches addressed this flaw in commits (referenced as [1] and [2]), which should be backported to affected long-term and stable releases. No workaround is necessary for most users; applying the latest stable or distro kernel updates is recommended.