| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jan 2020 14:57:39 +0100
From: Oliver Hartkopp <socketcan@...tkopp.net>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: linux-can@...r.kernel.org, netdev@...r.kernel.org,
syzbot+c3ea30e1e2485573f953@...kaller.appspotmail.com,
dvyukov@...gle.com, mkl@...gutronix.de, j.vosburgh@...il.com,
vfalico@...il.com, andy@...yhouse.net, davem@...emloft.net,
linux-stable <stable@...r.kernel.org>
Subject: Re: [PATCH] bonding: do not enslave CAN devices
On 30/01/2020 14.41, Sabrina Dubroca wrote:
> 2020-01-30, 14:30:46 +0100, Oliver Hartkopp wrote:
>> Since commit 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
>> device struct can_dev_rcv_lists") the device specific CAN receive filter lists
>> are stored in netdev_priv() and dev->ml_priv points to these filters.
>>
>> In the bug report Syzkaller enslaved a vxcan1 CAN device and accessed the
>> bonding device with a PF_CAN socket which lead to a crash due to an access of
>> an unhandled bond_dev->ml_priv pointer.
>>
>> Deny to enslave CAN devices by the bonding driver as the resulting bond_dev
>> pretends to be a CAN device by copying dev->type without really being one.
>
> Does the team driver have the same problem?
Good point!
From a first look into team_setup_by_port() in team.c I would say YES :-)
Thanks for watching out! I would suggest to wait for some more feedback
and upstream of this fix.
Best regards,
Oliver
Powered by blists - more mailing lists