| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Nov 2020 13:14:25 +0530
From: Anant Thazhemadam <anant.thazhemadam@...il.com>
To: Marc Kleine-Budde <mkl@...gutronix.de>,
Oliver Hartkopp <socketcan@...tkopp.net>,
"David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>
Cc: linux-can@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
syzbot+9bcb0c9409066696d3aa@...kaller.appspotmail.com
Subject: Re: [PATCH] net: can: prevent potential access of uninitialized value
in canfd_rcv()
On 02-11-2020 12:40, Marc Kleine-Budde wrote:
> On 11/2/20 4:13 AM, Anant Thazhemadam wrote:
>> In canfd_rcv(), cfd->len is uninitialized when skb->len = 0, and this
>> uninitialized cfd->len is accessed nonetheless by pr_warn_once().
>>
>> Fix this uninitialized variable access by checking cfd->len's validity
>> condition (cfd->len > CANFD_MAX_DLEN) separately after the skb->len's
>> condition is checked, and appropriately modify the log messages that
>> are generated as well.
>> In case either of the required conditions fail, the skb is freed and
>> NET_RX_DROP is returned, same as before.
>>
>> Reported-by: syzbot+9bcb0c9409066696d3aa@...kaller.appspotmail.com
>> Tested-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
>> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
>> ---
>> This patch was locally tested using the reproducer and .config file
>> generated by syzbot.
>>
>> net/can/af_can.c | 19 ++++++++++++++-----
>> 1 file changed, 14 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/can/af_can.c b/net/can/af_can.c
>> index ea29a6d97ef5..1b9f2e50f065 100644
>> --- a/net/can/af_can.c
>> +++ b/net/can/af_can.c
>> @@ -694,16 +694,25 @@ static int canfd_rcv(struct sk_buff *skb, struct net_device *dev,
> Can you create a similar patch for "can_rcv()"?
Yes, I can. Would it be alright if that was part of the v2 itself (since it's similar changes)?
Or would I have to split them up into 2 different patches and send it as a 2-patch series
(since the changes made are in different functions)?
>
>> {
>> struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
>>
>> - if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU ||
>> - cfd->len > CANFD_MAX_DLEN)) {
>> - pr_warn_once("PF_CAN: dropped non conform CAN FD skbuf: dev type %d, len %d, datalen %d\n",
>> + if (unlikely(dev->type != ARPHRD_CAN || skb->len != CANFD_MTU)) {
>> + pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d\n",
>> + dev->type, skb->len);
>> + goto free_skb;
>> + }
>> +
>> + // This check is made separately since cfd->len would be uninitialized if skb->len = 0.
> Please don't use C++ comment style in the kernel.
Noted. I'll have this fixed in the v2.
>
>> + else if (unlikely(cfd->len > CANFD_MAX_DLEN)) {
> Please move the "else" right after the closing curly bracket: "} else if () {"
> or convert it into an "if () {"
Noted.
>
>> + pr_warn_once("PF_CAN: dropped non conform CAN FD skbuff: dev type %d, len %d, datalen %d\n",
>> dev->type, skb->len, cfd->len);
>> - kfree_skb(skb);
>> - return NET_RX_DROP;
>> + goto free_skb;
>> }
>>
>> can_receive(skb, dev);
>> return NET_RX_SUCCESS;
>> +
>> +free_skb:
>> + kfree_skb(skb);
>> + return NET_RX_DROP;
>> }
>>
>> /* af_can protocol functions */
>>
> regards,
> Marc
Thank you for your time.
Thanks,
Anant
Powered by blists - more mailing lists