From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Wiol=PY=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6C950C43612
	for <netdev@archiver.kernel.org>; Wed, 16 Jan 2019 13:31:17 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 334B120675
	for <netdev@archiver.kernel.org>; Wed, 16 Jan 2019 13:31:17 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RooRGA1e"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2393160AbfAPNbQ (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 16 Jan 2019 08:31:16 -0500
Received: from mail-wm1-f68.google.com ([209.85.128.68]:39465 "EHLO
        mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732780AbfAPNbQ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 16 Jan 2019 08:31:16 -0500
Received: by mail-wm1-f68.google.com with SMTP id y8so1986449wmi.4;
        Wed, 16 Jan 2019 05:31:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:cc:references:from:openpgp:autocrypt:subject:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=+qWduSY/hD9t9HZ1lurHh7T/lSpI6sw09xi+txq/6Ec=;
        b=RooRGA1eGgl1Ic4ZCayYozZrAzLAHrcpf9067hOUG3XygN9rBnWZr4nlJiAbQy2ETi
         5BvSwtPiy+eKaAIBoqM6NcHd4aONg3SL6DBYbh+tsXmjlhkAi8TpvNHkRXkpkZ/zRYPa
         UaYPJDmGMaYqy0WKL9bzncPDijoSBBpWvRfHu5dgSw0NXQm98eAWORbPH9AbXWKdRCdC
         DQLUnRW1lSiwowMrwasvfzijO2CfpEbpnQ+d2tZiFwFyLd6Cvjca/ZOfDB4SW/aXdV21
         scXQw1Z2H9Hk9BKNVbB4Zv9oIeYyJOb+Veo/bWOBRP2OTM2Nmu9dGLYZ/s3m2VQFFfSr
         pvvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:cc:references:from:openpgp:autocrypt:subject
         :message-id:date:user-agent:mime-version:in-reply-to
         :content-language:content-transfer-encoding;
        bh=+qWduSY/hD9t9HZ1lurHh7T/lSpI6sw09xi+txq/6Ec=;
        b=MFYMP3wruP2bJ9hIKNowXfy0Tcnf9sE46NiFBRnR9MEZAGnqEq12YJntVxgbVQDZ4W
         UQNWYCeDAZcFT1TdCP2bzy9+CbSQzxwrHbMkQ5yDjwJ5YF/ydk3lxUjD8rJ1q1u8ngCy
         mrbI4awoCRry7JBX8TSxrEz86tLerQ5PrTDQEQz2ZRMXXexjgsJ71TxPi2ujJoYl1YYS
         GBAgE4exFojPL5ra6rx2g4xrJi0Kqj/rW1QP0F31pBhpaKCYgChqyu7vOWkjBRFlT924
         b1DL/wbmxzxtveoAfMbOPWh/MRm+1C3qh6CoXG91/tAFJC+wWXtil+kAzFdSqfhdd6R9
         poCg==
X-Gm-Message-State: AJcUukfnC6ME+iojcPwqCXb0YlzRb4dP7d5EFhNUPzJ61qnIMn9cPCrM
        KUCaU3w5PPa72cIAqR25A+MUnWOR
X-Google-Smtp-Source: ALg8bN4xBGjPseuo1nUk5xWUuK8OeCRdCJX02U1Tn8nFmelLFGAF3SSbDcFX1XF96/YXyTE34Tanww==
X-Received: by 2002:a1c:ca15:: with SMTP id a21mr7131359wmg.132.1547645473161;
        Wed, 16 Jan 2019 05:31:13 -0800 (PST)
Received: from ?IPv6:2003:ee:f1a:bb00:511:3732:caee:4ddd? (p200300EE0F1ABB0005113732CAEE4DDD.dip0.t-ipconnect.de. [2003:ee:f1a:bb00:511:3732:caee:4ddd])
        by smtp.gmail.com with ESMTPSA id k19sm116940633wre.5.2019.01.16.05.31.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 16 Jan 2019 05:31:12 -0800 (PST)
To:     Oliver Hartkopp <socketcan@hartkopp.net>, davem@davemloft.net,
        netdev@vger.kernel.org
Cc:     linux-can@vger.kernel.org, lifeasageek@gmail.com,
        threeearcat@gmail.com, syzkaller@googlegroups.com,
        Kyungtae Kim <kt0755@gmail.com>,
        linux-stable <stable@vger.kernel.org>
References: <20190113183143.10612-1-socketcan@hartkopp.net>
From:   Andre Naujoks <nautsch2@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=nautsch2@gmail.com; prefer-encrypt=mutual; keydata=
 mQENBEuVIO4BCADaPWxLdKao/quVbf1+wVSuDMf1tJmEpeEZ6qojmlR/5vcTj+me6c5UvBSr
 wBckL0EK/JdzZMVwny1oFfAjTgO252A7Mn1Q+ss8w4RJBI6YnpeAlQIyNm7UTN2wUCY90ObO
 z019BQs3BpQ7iHG2cUWy0KunRMj6dOIGvMKCpETyI83R5annZAR0+5ZhcCB3embvKzRySf7/
 YfAXXBGYkMV9ND7r66BECmDVH/MHTENCqMOvbfVOCKwj1JdVYx/WUqLd48flZ6sx/Psfp/r1
 mY1sN0yebElCkUNzOWonqlgr5kwMZh0+lD1DSQnNhdH2FL5Vvo8qbQ/WTdJd1Equ5BejABEB
 AAG0IkFuZHJlIE5hdWpva3MgPG5hdXRzY2gyQGdtYWlsLmNvbT6JATgEEwECACIFAlO0ExIC
 GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFjpxyF47AzYIPEH/jTWaF3CnPugN3CI
 6AfbNP6T46tpDZ1e4QuWBZdFY2eBfDkajfWtqoLCqU7xctmkcuRtFULHnMZwu0dUAXVExlMi
 VYRTLCLYWzFrZ26P7KIudHFyb8XWSh/HTEdahRv4JKscR66kHzM4jdYeKJCud18+gxepPvPi
 7X6sJvA4JlFnomIjW4UHJByif0LRR47KOtOQD5oVon7urSE+K2ib2BqgFIy8o7+laq3/KKhI
 92/ZnNBX/KoZVChFkBCSJEKmaLQCQdCnjXDx+nz6wJT3JYF1FkrGx49An/yTHlEv3nwwDLFF
 0Ff24e/E9PpQ4lIupfqWMfgYhNCbMe2mScwZoWi5AQ0ES5Ug7gEIAMexJPQTFF+ENQxNHFGU
 dw/vq19odo/iB6CgoySTxO28FCbh00Yo/Xw9/CZgKaLxsBuA+Wie1t/MEN/6/pNVpOaTqc7O
 fR4oSbRIsthSHUAQYPAo+bES7jBu+uIO8WNWk2B6sqb2JgS104yHKtlmeZP7+VhEe1nekTkv
 i2ASyywgwkH4dFrMjjkYCt6tTqE7QDRrMmrx6NW31nOjLKSA2Nst3o62b1Z0D+YZeVUspytz
 rAuuv0bKT5GH0zsc9+yNtOYLvkmVhi4x3VW0CD0aLsIq7E9kellZ0oRh4xT9ObuAstI1mG1Q
 yAufU8LZyPRjLVcqrNzemekB59w3gmcMmKEAEQEAAYkBHwQYAQIACQUCS5Ug7gIbDAAKCRBY
 6ccheOwM2KXwCAC3D+3yvZwBycTofZ60G7xvdp2NYBZOszVRFvZK5JRsoI7tNTF635BPJ1Sd
 1Pv/FFt5FUSt/Fv7G9ibunh8He2cbcA5TjwbihhxNT1yAWd6pPKgNlUDMPlHYLBTHq5vwIDz
 3WVq651ihMFwJ9MSSLUbo5PyUpvMEVHPcChUD+nKNufI4/Y7Ob4I90nXgHB3OUXbmOcwZ9+S
 YpcJso4jCmjGBOcaOKZHCN+OX2r4nzE+vMDGWephhg5d8HLxFFDiD+Buw2SsOVxH1qXhG8nk
 AGjD/Q5oL3gtVPTrPh0XTk3JN3LLFOddMQ8oZcuIAh+4aLlGEmK+L5RPAbcigApJNjcZ
Subject: Re: [PATCH v2] can: bcm: check timer values before ktime conversion
Message-ID: <b0c40e9b-9c18-a8b0-c52b-0e6618eb7f9d@gmail.com>
Date:   Wed, 16 Jan 2019 14:31:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <20190113183143.10612-1-socketcan@hartkopp.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Am 13.01.19 um 19:31 schrieb Oliver Hartkopp:
> Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
> when the conversion into ktime multiplies the given value with NSEC_PER_USEC
> (1000).
> 
> Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
> 
> Add a check for the given tv_usec, so that the value stays below one second.
> Additionally limit the tv_sec value to a reasonable value for CAN related
> use-cases of 400 days and ensure all values to be positive.
> 
> Reported-by: Kyungtae Kim <kt0755@gmail.com>
> Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
> Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26

Acked-by: Andre Naujoks <nautsch2@gmail.com>

Sorry for the late reply, but I seem to have missed the initial send of
v2 of this. I wanted to at least ack it, since I made such a fuss about
the timeouts. :-)

Regards
  Andre

> ---
>  net/can/bcm.c | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/net/can/bcm.c b/net/can/bcm.c
> index 0af8f0db892a..d4ae0a1471f3 100644
> --- a/net/can/bcm.c
> +++ b/net/can/bcm.c
> @@ -67,6 +67,9 @@
>   */
>  #define MAX_NFRAMES 256
>  
> +/* limit timers to 400 days for sending/timeouts */
> +#define BCM_TIMER_SEC_MAX (400*24*60*60)
> +
>  /* use of last_frames[index].flags */
>  #define RX_RECV    0x40 /* received data for this element */
>  #define RX_THR     0x80 /* element not been sent due to throttle feature */
> @@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
>  	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
>  }
>  
> +/* check limitations for timeval provided by user */
> +static int bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
> +{
> +	if ((msg_head->ival1.tv_sec < 0) ||
> +	    (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
> +	    (msg_head->ival1.tv_usec < 0) ||
> +	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
> +	    (msg_head->ival2.tv_sec < 0) ||
> +	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
> +	    (msg_head->ival2.tv_usec < 0) ||
> +	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))
> +		return 1;
> +
> +	return 0;
> +}
> +
>  #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
>  #define OPSIZ sizeof(struct bcm_op)
>  #define MHSIZ sizeof(struct bcm_msg_head)
> @@ -873,6 +892,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
>  	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
>  		return -EINVAL;
>  
> +	/* check timeval limitations */
> +	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
> +		return -EINVAL;
> +
>  	/* check the given can_id */
>  	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
>  	if (op) {
> @@ -1053,6 +1076,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
>  	     (!(msg_head->can_id & CAN_RTR_FLAG))))
>  		return -EINVAL;
>  
> +	/* check timeval limitations */
> +	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
> +		return -EINVAL;
> +
>  	/* check the given can_id */
>  	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
>  	if (op) {
>