lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250924-monumental-impartial-auk-719514-mkl@pengutronix.de>
Date: Wed, 24 Sep 2025 17:13:01 +0200
From: Marc Kleine-Budde <mkl@...gutronix.de>
To: Vincent Mailhol <mailhol@...nel.org>
Cc: Oliver Hartkopp <socketcan@...tkopp.net>, syzbot@...ts.linux.dev, 
	syzkaller-bugs@...glegroups.com, syzbot ci <syzbot+ci284feacb80736eb0@...kaller.appspotmail.com>, 
	biju.das.jz@...renesas.com, davem@...emloft.net, geert@...der.be, kernel@...gutronix.de, 
	kuba@...nel.org, linux-can@...r.kernel.org, netdev@...r.kernel.org, 
	stefan.maetje@....eu, stephane.grosjean@...-networks.com, zhao.xichao@...o.com
Subject: Re: [PATCH] can: dev: fix out-of-bound read in can_set_default_mtu()

On 24.09.2025 23:35:44, Vincent Mailhol wrote:
> Under normal usage, the virtual interfaces do not call can_setup(),
> unless if trigger by a call to can_link_ops->setup().
> 
> Patch [1] did not consider this scenario resulting in an out of bound
> read in can_setup() when calling can_link_ops->setup() as reported by
> syzbot ci in [2].
> 
> Replacing netdev_priv() by safe_candev_priv() may look like a
> potential solution at first glance but is not: can_setup() is used as
> a callback function in alloc_netdev_mqs(). At the moment this callback
> is called, priv is not yet fully setup and thus, safe_candev_priv()
> would fail on physical interfaces. In other words, safe_candev_priv()
> is solving the problem for virtual interfaces, but adding another
> issue for physical interfaces.
> 
> Remove the call to can_set_default_mtu() in can_setup(). Instead,
> manually set the MTU the default CAN MTU. This decorrelates the two
> functions, effectively removing the conflict.
> 
> [1] can: populate the minimum and maximum MTU values
> Link: https://lore.kernel.org/linux-can/20250923-can-fix-mtu-v3-3-581bde113f52@kernel.org/
> 
> [2] https://lore.kernel.org/linux-can/68d3e6ce.a70a0220.4f78.0028.GAE@google.com/
> 
> Signed-off-by: Vincent Mailhol <mailhol@...nel.org>
> ---
> @Marc, please squash in
> 
>   [PATCH net-next 27/48] can: populate the minimum and maximum MTU values

I've not changed the commit message of "can: populate the minimum and
maximum MTU values", just added the note that I've squashed this fixup
patch.

I've created a new tag: linux-can-next-for-6.18-20250924

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ