From: Oliver Hartkopp <socketcan@hartkopp.net>
To: davem@davemloft.net, netdev@vger.kernel.org
Cc: ieatmuttonchuan@gmail.com, meissner@suse.de,
linux-can@vger.kernel.org,
Oliver Hartkopp <socketcan@hartkopp.net>,
linux-stable <stable@vger.kernel.org>
Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification
Date: Thu, 3 Jan 2019 13:26:34 +0100 [thread overview]
Message-ID: <20190103122634.2530-1-socketcan@hartkopp.net> (raw)
The CAN frame modification rules allow bitwise logical operations which can
be also applied to the can_dlc field. Ensure the manipulation result to
maintain the can_dlc boundaries so that the CAN drivers do not accidently
write arbitrary content beyond the data registers in the CAN controllers
I/O mem when processing can-gw manipulated outgoing frames. When passing these
frames to user space this issue did not have any effect to the kernel or any
leaked data as we always strictly copy sizeof(struct can_frame) bytes.
Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
---
net/can/gw.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/can/gw.c b/net/can/gw.c
index faa3da88a127..9000d9b8a133 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
/* check for checksum updates when the CAN frame has been modified */
if (modidx) {
+ /* ensure DLC boundaries after the different mods */
+ if (cf->can_dlc > 8)
+ cf->can_dlc = 8;
+
if (gwj->mod.csumfunc.crc8)
(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
--
2.19.2
next reply other threads:[~2019-01-03 12:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-03 12:26 Oliver Hartkopp [this message]
2019-01-03 14:01 ` [PATCH] can: gw: ensure DLC boundaries after CAN frame modification Michal Kubecek
2019-01-03 19:31 ` Oliver Hartkopp
2019-01-03 20:33 ` Michal Kubecek
2019-01-03 21:03 ` Oliver Hartkopp
2019-01-04 9:01 ` Michal Kubecek
2019-01-04 9:28 ` Oliver Hartkopp
-- strict thread matches above, loose matches on Subject: below --
2019-01-04 9:13 Oliver Hartkopp
2019-01-04 10:31 ` Michal Kubecek
2019-01-04 10:57 ` Oliver Hartkopp
2019-01-04 14:16 ` Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190103122634.2530-1-socketcan@hartkopp.net \
--to=socketcan@hartkopp.net \
--cc=davem@davemloft.net \
--cc=ieatmuttonchuan@gmail.com \
--cc=linux-can@vger.kernel.org \
--cc=meissner@suse.de \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).