lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 15 Jan 2021 15:30:36 +0100
From:   Oleksij Rempel <o.rempel@...gutronix.de>
To:     mkl@...gutronix.de, "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Oliver Hartkopp <socketcan@...tkopp.net>,
        Robin van der Gracht <robin@...tonic.nl>
Cc:     Oleksij Rempel <o.rempel@...gutronix.de>, kernel@...gutronix.de,
        linux-can@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [RFC PATCH net 2/2] net: can: j1939: fix check for valid CAN devices

With the last patch a dedicated struct can_ml pointer was added to the
struct netdevice to store CAN stack related private data. The data is
only allocated and the pointer is only set by CAN devices.

Now we use a NULL pointer check on ndev->can to check for real CAN
devices. Only checking the ARPHRD via ndev->type is not sufficient,
since it can be set by user space to an arbitrary value for tun/tap
devices.

Since the ndev->type and ndev->can are now checked early, this patch
removes obsolete checks further down the call stacks.

Signed-off-by: Oleksij Rempel <o.rempel@...gutronix.de>
---
 net/can/j1939/main.c   | 12 +++---------
 net/can/j1939/socket.c |  2 +-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
index 62088074230d..fbc0d25046e2 100644
--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -213,9 +213,6 @@ static inline struct j1939_priv *j1939_ndev_to_priv(struct net_device *ndev)
 {
 	struct can_ml_priv *can_ml_priv = ndev->can;
 
-	if (!can_ml_priv)
-		return NULL;
-
 	return can_ml_priv->j1939_priv;
 }
 
@@ -225,9 +222,6 @@ static struct j1939_priv *j1939_priv_get_by_ndev_locked(struct net_device *ndev)
 
 	lockdep_assert_held(&j1939_netdev_lock);
 
-	if (ndev->type != ARPHRD_CAN)
-		return NULL;
-
 	priv = j1939_ndev_to_priv(ndev);
 	if (priv)
 		j1939_priv_get(priv);
@@ -350,13 +344,13 @@ static int j1939_netdev_notify(struct notifier_block *nb,
 	struct net_device *ndev = netdev_notifier_info_to_dev(data);
 	struct j1939_priv *priv;
 
+	if (ndev->type != ARPHRD_CAN || !ndev->can)
+		goto notify_put;
+
 	priv = j1939_priv_get_by_ndev(ndev);
 	if (!priv)
 		goto notify_done;
 
-	if (ndev->type != ARPHRD_CAN)
-		goto notify_put;
-
 	switch (msg) {
 	case NETDEV_DOWN:
 		j1939_cancel_active_session(priv, NULL);
diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
index 8010fbc8bd29..61732e558980 100644
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -461,7 +461,7 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
 			goto out_release_sock;
 		}
 
-		if (ndev->type != ARPHRD_CAN) {
+		if (ndev->type != ARPHRD_CAN || !ndev->can) {
 			dev_put(ndev);
 			ret = -ENODEV;
 			goto out_release_sock;
-- 
2.30.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ