lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 28 Oct 2022 09:13:09 +0200
From:   Oliver Hartkopp <socketcan@...tkopp.net>
To:     Zhengchao Shao <shaozhengchao@...wei.com>,
        linux-can@...r.kernel.org, netdev@...r.kernel.org,
        mkl@...gutronix.de, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com
Cc:     linux@...pel-privat.de, weiyongjun1@...wei.com,
        yuehaibing@...wei.com
Subject: Re: [PATCH net] can: af_can: fix NULL pointer dereference in
 can_rx_register()

Hello,

On 28.10.22 05:33, Zhengchao Shao wrote:
> It causes NULL pointer dereference when testing as following:
> (a) use syscall(__NR_socket, 0x10ul, 3ul, 0) to create netlink socket.
> (b) use syscall(__NR_sendmsg, ...) to create bond link device and vxcan
>      link device, and bind vxcan device to bond device (can also use
>      ifenslave command to bind vxcan device to bond device).
> (c) use syscall(__NR_socket, 0x1dul, 3ul, 1) to create CAN socket.
> (d) use syscall(__NR_bind, ...) to bind the bond device to CAN socket.
> 
> The bond device invokes the can-raw protocol registration interface to
> receive CAN packets. However, ml_priv is not allocated to the dev,
> dev_rcv_lists is assigned to NULL in can_rx_register(). In this case,
> it will occur the NULL pointer dereference issue.

I can see the problem and see that the patch makes sense for 
can_rx_register().

But for me the problem seems to be located in the bonding device.

A CAN interface with dev->type == ARPHRD_CAN *always* has the 
dev->ml_priv and dev->ml_priv_type set correctly.

I'm not sure if a bonding device does the right thing by just 'claiming' 
to be a CAN device (by setting dev->type to ARPHRD_CAN) but not taking 
care of being a CAN device and taking care of ml_priv specifics.

This might also be the case in other ml_priv use cases.

Would it probably make sense to blacklist CAN devices in bonding devices?

Thanks & best regards,
Oliver

> 
> The following is the stack information:
> BUG: kernel NULL pointer dereference, address: 0000000000000008
> PGD 122a4067 P4D 122a4067 PUD 1223c067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> RIP: 0010:can_rx_register+0x12d/0x1e0
> Call Trace:
> <TASK>
> raw_enable_filters+0x8d/0x120
> raw_enable_allfilters+0x3b/0x130
> raw_bind+0x118/0x4f0
> __sys_bind+0x163/0x1a0
> __x64_sys_bind+0x1e/0x30
> do_syscall_64+0x35/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> </TASK>
> 
> Fixes: 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device")
> Signed-off-by: Zhengchao Shao <shaozhengchao@...wei.com>
> ---
>   net/can/af_can.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/can/af_can.c b/net/can/af_can.c
> index 9503ab10f9b8..ef2697f3ebcb 100644
> --- a/net/can/af_can.c
> +++ b/net/can/af_can.c
> @@ -450,7 +450,7 @@ int can_rx_register(struct net *net, struct net_device *dev, canid_t can_id,
>   
>   	/* insert new receiver  (dev,canid,mask) -> (func,data) */
>   
> -	if (dev && dev->type != ARPHRD_CAN)
> +	if (dev && (dev->type != ARPHRD_CAN || dev->ml_priv_type != ML_PRIV_CAN))
>   		return -ENODEV;
>   
>   	if (dev && !net_eq(net, dev_net(dev)))

Powered by blists - more mailing lists