lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250924143644.17622-2-mailhol@kernel.org>
Date: Wed, 24 Sep 2025 23:35:44 +0900
From: Vincent Mailhol <mailhol@...nel.org>
To: Oliver Hartkopp <socketcan@...tkopp.net>,
	mkl@...gutronix.de
Cc: syzbot@...ts.linux.dev,
	syzkaller-bugs@...glegroups.com,
	syzbot ci <syzbot+ci284feacb80736eb0@...kaller.appspotmail.com>,
	biju.das.jz@...renesas.com,
	davem@...emloft.net,
	geert@...der.be,
	kernel@...gutronix.de,
	kuba@...nel.org,
	linux-can@...r.kernel.org,
	netdev@...r.kernel.org,
	stefan.maetje@....eu,
	stephane.grosjean@...-networks.com,
	zhao.xichao@...o.com,
	Vincent Mailhol <mailhol@...nel.org>
Subject: [PATCH] can: dev: fix out-of-bound read in can_set_default_mtu()

Under normal usage, the virtual interfaces do not call can_setup(),
unless if trigger by a call to can_link_ops->setup().

Patch [1] did not consider this scenario resulting in an out of bound
read in can_setup() when calling can_link_ops->setup() as reported by
syzbot ci in [2].

Replacing netdev_priv() by safe_candev_priv() may look like a
potential solution at first glance but is not: can_setup() is used as
a callback function in alloc_netdev_mqs(). At the moment this callback
is called, priv is not yet fully setup and thus, safe_candev_priv()
would fail on physical interfaces. In other words, safe_candev_priv()
is solving the problem for virtual interfaces, but adding another
issue for physical interfaces.

Remove the call to can_set_default_mtu() in can_setup(). Instead,
manually set the MTU the default CAN MTU. This decorrelates the two
functions, effectively removing the conflict.

[1] can: populate the minimum and maximum MTU values
Link: https://lore.kernel.org/linux-can/20250923-can-fix-mtu-v3-3-581bde113f52@kernel.org/

[2] https://lore.kernel.org/linux-can/68d3e6ce.a70a0220.4f78.0028.GAE@google.com/

Signed-off-by: Vincent Mailhol <mailhol@...nel.org>
---
@Marc, please squash in

  [PATCH net-next 27/48] can: populate the minimum and maximum MTU values
---
 drivers/net/can/dev/dev.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
index e5a82aa77958..15ccedbb3f8d 100644
--- a/drivers/net/can/dev/dev.c
+++ b/drivers/net/can/dev/dev.c
@@ -272,12 +272,13 @@ EXPORT_SYMBOL_GPL(can_bus_off);
 void can_setup(struct net_device *dev)
 {
 	dev->type = ARPHRD_CAN;
+	dev->mtu = CAN_MTU;
+	dev->min_mtu = CAN_MTU;
+	dev->max_mtu = CAN_MTU;
 	dev->hard_header_len = 0;
 	dev->addr_len = 0;
 	dev->tx_queue_len = 10;
 
-	can_set_default_mtu(dev);
-
 	/* New-style flags. */
 	dev->flags = IFF_NOARP;
 	dev->features = NETIF_F_HW_CSUM;
-- 
2.49.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ