lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190104145526.28492-1-mkl@pengutronix.de>
Date:   Fri,  4 Jan 2019 15:55:26 +0100
From:   Marc Kleine-Budde <mkl@...gutronix.de>
To:     linux-can@...r.kernel.org
Cc:     kernel@...gutronix.de, David Miller <davem@...emloft.net>,
        netdev@...r.kernel.org, Oliver Hartkopp <socketcan@...tkopp.net>,
        Muyu Yu <ieatmuttonchuan@...il.com>,
        Marcus Meissner <meissner@...e.de>,
        Michal Kubecek <mkubecek@...e.cz>,
        linux-stable <stable@...r.kernel.org>,
        Marc Kleine-Budde <mkl@...gutronix.de>
Subject: [PATCH v3] can: gw: ensure DLC boundaries after CAN frame modification

From: Oliver Hartkopp <socketcan@...tkopp.net>

Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN
frame modification rule that makes the data length code a higher value than
the available CAN frame data size. In combination with a configured checksum
calculation where the result is stored relatively to the end of the data
(e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in
skb_shared_info) can be rewritten which finally can cause a system crash.

Michael Kubecek suggested to drop frames that have a DLC exceeding the
available space after the modification process and provided a patch that can
handle CAN FD frames too. Within this patch we also limit the length for the
checksum calculations to the maximum of Classic CAN data length (8).

CAN frames that are dropped by these additional checks are counted with the
CGW_DELETED counter which indicates misconfigurations in can-gw rules.

This fixes CVE-2019-3701.

Reported-by: Muyu Yu <ieatmuttonchuan@...il.com>
Reported-by: Marcus Meissner <meissner@...e.de>
Suggested-by: Michal Kubecek <mkubecek@...e.cz>
Tested-by: Muyu Yu <ieatmuttonchuan@...il.com>
Tested-by: Oliver Hartkopp <socketcan@...tkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@...tkopp.net>
Cc: linux-stable <stable@...r.kernel.org> # >= v3.2
Signed-off-by: Marc Kleine-Budde <mkl@...gutronix.de>
---
Hello,

I've removed the else from dlc length check. Keeps the code and the
patch more readable.

Marc

Changes since v2:
- add newline after goto (Tnx, Oliver)
Changes since v1:
- remove else from dlc length check.

 net/can/gw.c | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/net/can/gw.c b/net/can/gw.c
index faa3da88a127..53859346dc9a 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -416,13 +416,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
 	while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx])
 		(*gwj->mod.modfunc[modidx++])(cf, &gwj->mod);
 
-	/* check for checksum updates when the CAN frame has been modified */
+	/* Has the CAN frame been modified? */
 	if (modidx) {
-		if (gwj->mod.csumfunc.crc8)
+		/* get available space for the processed CAN frame type */
+		int max_len = nskb->len - offsetof(struct can_frame, data);
+
+		/* dlc may have changed, make sure it fits to the CAN frame */
+		if (cf->can_dlc > max_len)
+			goto out_delete;
+
+		/* check for checksum updates in classic CAN length only */
+		if (gwj->mod.csumfunc.crc8) {
+			if (cf->can_dlc > 8)
+				goto out_delete;
+
 			(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
+		}
+
+		if (gwj->mod.csumfunc.xor) {
+			if (cf->can_dlc > 8)
+				goto out_delete;
 
-		if (gwj->mod.csumfunc.xor)
 			(*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor);
+		}
 	}
 
 	/* clear the skb timestamp if not configured the other way */
@@ -434,6 +450,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
 		gwj->dropped_frames++;
 	else
 		gwj->handled_frames++;
+
+	return;
+
+ out_delete:
+	/* delete frame due to misconfiguration */
+	gwj->deleted_frames++;
+	kfree_skb(nskb);
+	return;
 }
 
 static inline int cgw_register_filter(struct net *net, struct cgw_job *gwj)
-- 
2.20.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ