| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c65fae56-cb75-4039-908d-25c41338b801@kvaser.com> Date: Mon, 3 Nov 2025 09:51:16 +0100 From: Jimmy Assarsson <extja@...ser.com> To: Seungjin Bae <eeodqql09@...il.com> Cc: Kyungtae Kim <Kyungtae.Kim@...tmouth.edu>, linux-can@...r.kernel.org, linux-kernel@...r.kernel.org, Marc Kleine-Budde <mkl@...gutronix.de>, Vincent Mailhol <mailhol@...nel.org> Subject: Re: [PATCH v2] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers On 10/29/25 20:06, Seungjin Bae wrote: > Hello Jimmy, > > Thank you for trying to reproduce the issue and for the detailed > explanation of the firmware logic. > > You are correct that this issue would not occur with the standard Kvaser > firmware. The vulnerability I reported wasn’t found by running code > on an actual Kvaser device. > > Instead, I discovered this issue by performing analysis on the driver > code using a symbolic execution tool. This tool demonstrated that > the driver contains a vulnerable code path. > > My goal was to show that if a malicious device is connected—one that > sends a specifically crafted packet sequence not normally produced by > the firmware—the driver code will process it incorrectly and cause > the kernel panic. > > So regretfully, I don’t have any hardware information yet. Sorry, I overlooked the title, and assumed this was a problem you had encountered with a real device. Patch LGTM and tested OK with actual Kvaser devices: Reviewed-by: Jimmy Assarsson <extja@...ser.com> Tested-by: Jimmy Assarsson <extja@...ser.com> Thanks! /jimmy > Thank you for your precious time. > > Best, > Seungjin Bae > > 2025년 10월 29일 (수) 오전 6:53, Jimmy Assarsson <extja@...ser.com > <mailto:extja@...ser.com>>님이 작성: > > On 10/26/25 14:26, Jimmy Assarsson wrote: > > Hi Seungjin, > > > > Thanks for fixing this! > > I'll do some testing in the beginning of next week. > > Which Kvaser device did you use when you discovered the problem? > > > > Best regards, > > jimmy > > Hi Seungjin, > > I've not been able to reproduce this problem, when testing with the > latest firmware on multiple different devices. > > If the next command in the firmware packet queue, doesn't fit within the > current endpoint transaction (wMaxPacketSize), the firmware will > terminate the transaction with a zero byte. The driver then interprets > this as a zero-length command, and skip to the next transaction. > > The firmware is responsible to insert a "zero termination byte" only > when there is already one or more packets in the current transaction. > Since all commands have even lengths (4,8,10,12,16,20,24,30,32 bytes) > and the wMaxPacketSize is also even (64 bytes or 512 bytes, depending on > the device), I cannot see a situation where the zero termination byte > would be inserted exactly at the wMaxPacketSize boundary. > > Can you please provide which Kvaser device and firmware you use: > lsusb -d 0bfd: > ethtool -i can0 > > Best regards, > jimmy
Powered by blists - more mailing lists