From mboxrd@z Thu Jan  1 00:00:00 1970
From: Oliver Hartkopp <socketcan@hartkopp.net>
Subject: [PATCH] can: bcm: check timer values before ktime conversion
Date: Sat, 12 Jan 2019 22:57:26 +0100
Message-ID: <20190112215726.2622-1-socketcan@hartkopp.net>
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Cc: linux-can@vger.kernel.org, lifeasageek@gmail.com,
        threeearcat@gmail.com, syzkaller@googlegroups.com,
        Oliver Hartkopp <socketcan@hartkopp.net>,
        Kyungtae Kim <kt0755@gmail.com>,
        linux-stable <stable@vger.kernel.org>
To: davem@davemloft.net, netdev@vger.kernel.org
Return-path: <stable-owner@vger.kernel.org>
Sender: stable-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup() when
the conversion into ktime multiplies the given value with NSEC_PER_USEC (1000).

Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2

Add a check for the given tv_usec, so that the value stays below one second.
Additionally limit the tv_sec value to a reasonable value for CAN related
use-cases of 15 minutes.

Reported-by: Kyungtae Kim <kt0755@gmail.com>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
---
 net/can/bcm.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 0af8f0db892a..ff3799be077b 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -67,6 +67,9 @@
  */
 #define MAX_NFRAMES 256
 
+/* limit timers to 15 minutes for sending/timeouts */
+#define BCM_TIMER_SEC_MAX (15*60)
+
 /* use of last_frames[index].flags */
 #define RX_RECV    0x40 /* received data for this element */
 #define RX_THR     0x80 /* element not been sent due to throttle feature */
@@ -140,6 +143,18 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
 	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
 }
 
+/* check limitations for timeval provided by user */
+static int bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
+{
+	if ((msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
+	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
+	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
+	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))
+		return 1;
+
+	return 0;
+}
+
 #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
 #define OPSIZ sizeof(struct bcm_op)
 #define MHSIZ sizeof(struct bcm_msg_head)
@@ -873,6 +888,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
 		return -EINVAL;
 
+	/* check timeval limitations */
+	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+		return -EINVAL;
+
 	/* check the given can_id */
 	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
 	if (op) {
@@ -1053,6 +1072,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 	     (!(msg_head->can_id & CAN_RTR_FLAG))))
 		return -EINVAL;
 
+	/* check timeval limitations */
+	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+		return -EINVAL;
+
 	/* check the given can_id */
 	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
 	if (op) {
-- 
2.20.1

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=RzVD=PU=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.8 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 57C30C43612
	for <netdev@archiver.kernel.org>; Sat, 12 Jan 2019 21:57:40 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 251132086C
	for <netdev@archiver.kernel.org>; Sat, 12 Jan 2019 21:57:40 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=hartkopp.net header.i=@hartkopp.net header.b="nQ7Y29B2"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726494AbfALV5j (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Sat, 12 Jan 2019 16:57:39 -0500
Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.166]:13783 "EHLO
        mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726255AbfALV5i (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sat, 12 Jan 2019 16:57:38 -0500
X-Greylist: delayed 1903 seconds by postgrey-1.27 at vger.kernel.org; Sat, 12 Jan 2019 16:57:37 EST
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1547330256;
        s=strato-dkim-0002; d=hartkopp.net;
        h=Message-Id:Date:Subject:Cc:To:From:X-RZG-CLASS-ID:X-RZG-AUTH:From:
        Subject:Sender;
        bh=obOIpKKDw+MyKayqzHTS2mTJG7hm2/gPHiFzv6zFc7Y=;
        b=nQ7Y29B2N+RgRz2e+UIhbtjynXkTgoqPLS8d3g+R2RhJNJX+o4CT8bXPKwF5dNdfut
        C3OgpsOKrQ1IzKNssA2mDABxx1s5XMKkK6kViNpvEioKyApx2YJvx2yyxOo9brfOZNjX
        72340yEIqZuEXk4Dm4uf22zyaJaSimJV3cJsm92Pq1AjzMNYuOccIA+Z1fJHm8E5XmeV
        F6TtJa4eADikp8GPWob0BMhVxloFZSEZuEoNlaqRgRaLzxW+/a9AANRqZDzUK8Nmitjv
        jYKxHlb0jo/NMgZpWDmZMMGDHc6WBtmrcndIyuvTXPa4cJ3Hitkb3MSyZKRmERePm7g2
        3SaA==
X-RZG-AUTH: ":P2MHfkW8eP4Mre39l357AZT/I7AY/7nT2yrDxb8mjGrp7owjzFK3JbFk1mS1k+8Az01brnt61BuXmA=="
X-RZG-CLASS-ID: mo00
Received: from zbook.lan
        by smtp.strato.de (RZmta 44.9 DYNA|AUTH)
        with ESMTPSA id j01e49v0CLvYX3C
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA))
        (Client did not present a certificate);
        Sat, 12 Jan 2019 22:57:34 +0100 (CET)
From:   Oliver Hartkopp <socketcan@hartkopp.net>
To:     davem@davemloft.net, netdev@vger.kernel.org
Cc:     linux-can@vger.kernel.org, lifeasageek@gmail.com,
        threeearcat@gmail.com, syzkaller@googlegroups.com,
        Oliver Hartkopp <socketcan@hartkopp.net>,
        Kyungtae Kim <kt0755@gmail.com>,
        linux-stable <stable@vger.kernel.org>
Subject: [PATCH] can: bcm: check timer values before ktime conversion
Date:   Sat, 12 Jan 2019 22:57:26 +0100
Message-Id: <20190112215726.2622-1-socketcan@hartkopp.net>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
Message-ID: <20190112215726.7_XsoM0T3K2KUylkNQJk3iQWF5aRREOqJAcCiI05Vag@z>

Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup() when
the conversion into ktime multiplies the given value with NSEC_PER_USEC (1000).

Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2

Add a check for the given tv_usec, so that the value stays below one second.
Additionally limit the tv_sec value to a reasonable value for CAN related
use-cases of 15 minutes.

Reported-by: Kyungtae Kim <kt0755@gmail.com>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
---
 net/can/bcm.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/can/bcm.c b/net/can/bcm.c
index 0af8f0db892a..ff3799be077b 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -67,6 +67,9 @@
  */
 #define MAX_NFRAMES 256
 
+/* limit timers to 15 minutes for sending/timeouts */
+#define BCM_TIMER_SEC_MAX (15*60)
+
 /* use of last_frames[index].flags */
 #define RX_RECV    0x40 /* received data for this element */
 #define RX_THR     0x80 /* element not been sent due to throttle feature */
@@ -140,6 +143,18 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
 	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
 }
 
+/* check limitations for timeval provided by user */
+static int bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
+{
+	if ((msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
+	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
+	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
+	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))
+		return 1;
+
+	return 0;
+}
+
 #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
 #define OPSIZ sizeof(struct bcm_op)
 #define MHSIZ sizeof(struct bcm_msg_head)
@@ -873,6 +888,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
 		return -EINVAL;
 
+	/* check timeval limitations */
+	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+		return -EINVAL;
+
 	/* check the given can_id */
 	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
 	if (op) {
@@ -1053,6 +1072,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
 	     (!(msg_head->can_id & CAN_RTR_FLAG))))
 		return -EINVAL;
 
+	/* check timeval limitations */
+	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+		return -EINVAL;
+
 	/* check the given can_id */
 	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
 	if (op) {
-- 
2.20.1