Re: [BUG] KASAN: slab-use-after-free Read in raw_rcv

Linux CAN drivers development
 help / color / mirror / Atom feed

From: Eulgyu Kim <eulgyukim@snu.ac.kr>
To: socketcan@hartkopp.net
Cc: mkl@pengutronix.de, linux-can@vger.kernel.org,
	linux-kernel@vger.kernel.org, byoungyoung@snu.ac.kr,
	jjy600901@snu.ac.kr
Subject: Re: [BUG] KASAN: slab-use-after-free Read in raw_rcv
Date: Mon,  4 May 2026 13:08:39 +0900	[thread overview]
Message-ID: <20260504040839.20805-1-eulgyukim@snu.ac.kr> (raw)
In-Reply-To: <c744de46-14b3-4902-bf36-50492992007f@hartkopp.net>

> >
> > Can you confirm that the below patch fixes the issue?
> >
> > Best regards,
> > Oliver
> >
> > diff --git a/net/can/raw.c b/net/can/raw.c
> > index a26942e78e68..48d1bf297c2c 100644
> > --- a/net/can/raw.c
> > +++ b/net/can/raw.c
> > @@ -697,49 +697,68 @@ static int raw_setsockopt(struct socket *sock, int
> > level, int optname,
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->loopback = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_RECV_OWN_MSGS:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->recv_own_msgs = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_FD_FRAMES:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           /* Enabling CAN XL includes CAN FD */
> > -        if (ro->xl_frames && !flag)
> > +        if (ro->xl_frames && !flag) {
> > +            release_sock(sk);
> > +            rtnl_unlock();
> >               return -EINVAL;
> > +        }
> >
> >           ro->fd_frames = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_XL_FRAMES:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->xl_frames = !!flag;
> >
> >           /* Enabling CAN XL includes CAN FD */
> >           if (ro->xl_frames)
> >               ro->fd_frames = ro->xl_frames;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_XL_VCID_OPTS:
> >           if (optlen != sizeof(ro->raw_vcid_opts))
> >               return -EINVAL;
> > @@ -758,11 +777,15 @@ static int raw_setsockopt(struct socket *sock, int
> > level, int optname,
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->join_filters = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       default:
> >           return -ENOPROTOOPT;
> >       }
> >
> >

Hello,

thanks for your reply.

We have tested the patch, and our reproducer did not trigger any issue.

As this issue was identified via fuzzing and we have limited background,
we find it challenging to provide further verification.

At least for our specific test case, the issue seems to be resolved.

We hope this testing feedback is helpful.

Thank you.

Best Regards,
Eulgyu Kim

next prev parent reply	other threads:[~2026-05-04  4:08 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-03 11:22 [BUG] KASAN: slab-use-after-free Read in raw_rcv Eulgyu Kim
2026-05-03 18:04 ` Oliver Hartkopp
2026-05-03 18:24   ` Oliver Hartkopp
2026-05-04  4:08   ` Eulgyu Kim [this message]
2026-05-04  8:08     ` Oliver Hartkopp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260504040839.20805-1-eulgyukim@snu.ac.kr \
    --to=eulgyukim@snu.ac.kr \
    --cc=byoungyoung@snu.ac.kr \
    --cc=jjy600901@snu.ac.kr \
    --cc=linux-can@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkl@pengutronix.de \
    --cc=socketcan@hartkopp.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox