Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6261975imu;
        Mon, 21 Jan 2019 06:03:01 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4HZVeUPhItLT2gpD5D2kv19r8xNSmV4Ib1hsd7DUTOV59ricuvVDk9DlzFE8ENeVRJoTwH
X-Received: by 2002:a17:902:24a2:: with SMTP id w31mr29694860pla.216.1548079381582;
        Mon, 21 Jan 2019 06:03:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548079381; cv=none;
        d=google.com; s=arc-20160816;
        b=CFQVx9FIRk2Mxw9i+rFakK1lHaCynISWOvTTxgdx5jjPkMo8G7IW1pkwOQiNlxllIg
         YZVB5U3V/i9I35jBiCJ0wp0zUAAa+aOfm7W98tZ1MJnoD2A7/j0E8YPbm9b7Qg/2XYlV
         0JK1b+UP+UiXkI6+2ZMHueDmcVdOKRxWCh3nXggXcBhh1cU772npRox1iu7JZ7Fi2mfX
         py8JN+p4qaIUC4pMO6j/H3OdWECCc0H0zsJ4Kt2rJchxZAL7ReG/xBnMtJsizQMsc4oJ
         kx4Hgv2WPS0d5jhLKbd7n2zYPDi4M81usNvkz82IMbDJwdmSgsqUlf4MEeuE+R1Gs2ux
         amJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iFVOL/Yb6P/0S2L0C07OeJ8V04NP7RrKDLQImDHe2zs=;
        b=Zu6+lQSjxPCaVVKme/fiNxAbS0o+46FPmD6Nz1i6kjkmZp5OMVX9P3g6R/QRsrZWZ9
         caWR8dXu+s8hZR+tiyhUpD7cPC5BvGCfwIuoZ1YgWasKXaQaQMiyKWkMijcc+WGr7NZk
         cT/WjJP8ofmmzXf2cud69f8+pQz1vy8HO0R2aDJxjJzgF2IXKqy9dabPuHY/7QzrPD9K
         Dvb9RMOTcrKqbfX41jKMfg9awYTCOygXJIBCZlifzu3xSmwtbBmnhq88CAXTGW8ZyhTU
         u5ZFqmRoA4eUICC7GDcSrKzQHV5tg3sLMyOKzWpW8C1pkZ1VYn3EGMyejHshLhqJ0piY
         ENQg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=nLiaUHKQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id ba9si12338898plb.109.2019.01.21.06.02.42;
        Mon, 21 Jan 2019 06:03:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=nLiaUHKQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732281AbfAUN7z (ORCPT <rfc822;peterpeng024@gmail.com>
        + 99 others); Mon, 21 Jan 2019 08:59:55 -0500
Received: from mail.kernel.org ([198.145.29.99]:46090 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731411AbfAUN7v (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Jan 2019 08:59:51 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3B76C2087F;
        Mon, 21 Jan 2019 13:59:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1548079190;
        bh=H6KFt6UNrIGRlJdg2MxuXbBiwraLmZidl0ZtQ7xp/zQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=nLiaUHKQd9s4ji0NTd3/TwmlygyijXsa3LkUFZb5Z2xnYK6lUJTNOBPxuDi4NSBer
         NfZnUoi9L9MMz5p6p4emyyNFck7fKksgJhBkDmSVY8q8+2CgBXykhioMXWDIgHcET1
         0rprMha7KbqpAOr9Y/hLHEzgELT1vXeXwBDyHQzc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Muyu Yu <ieatmuttonchuan@gmail.com>,
        Marcus Meissner <meissner@suse.de>,
        Michal Kubecek <mkubecek@suse.cz>,
        Oliver Hartkopp <socketcan@hartkopp.net>,
        Marc Kleine-Budde <mkl@pengutronix.de>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 05/99] can: gw: ensure DLC boundaries after CAN frame modification
Date:   Mon, 21 Jan 2019 14:47:57 +0100
Message-Id: <20190121134914.120817570@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190121134913.924726465@linuxfoundation.org>
References: <20190121134913.924726465@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit 0aaa81377c5a01f686bcdb8c7a6929a7bf330c68 upstream.

Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN
frame modification rule that makes the data length code a higher value than
the available CAN frame data size. In combination with a configured checksum
calculation where the result is stored relatively to the end of the data
(e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in
skb_shared_info) can be rewritten which finally can cause a system crash.

Michael Kubecek suggested to drop frames that have a DLC exceeding the
available space after the modification process and provided a patch that can
handle CAN FD frames too. Within this patch we also limit the length for the
checksum calculations to the maximum of Classic CAN data length (8).

CAN frames that are dropped by these additional checks are counted with the
CGW_DELETED counter which indicates misconfigurations in can-gw rules.

This fixes CVE-2019-3701.

Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Reported-by: Marcus Meissner <meissner@suse.de>
Suggested-by: Michal Kubecek <mkubecek@suse.cz>
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/gw.c |   30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -416,13 +416,29 @@ static void can_can_gw_rcv(struct sk_buf
 	while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx])
 		(*gwj->mod.modfunc[modidx++])(cf, &gwj->mod);
 
-	/* check for checksum updates when the CAN frame has been modified */
+	/* Has the CAN frame been modified? */
 	if (modidx) {
-		if (gwj->mod.csumfunc.crc8)
+		/* get available space for the processed CAN frame type */
+		int max_len = nskb->len - offsetof(struct can_frame, data);
+
+		/* dlc may have changed, make sure it fits to the CAN frame */
+		if (cf->can_dlc > max_len)
+			goto out_delete;
+
+		/* check for checksum updates in classic CAN length only */
+		if (gwj->mod.csumfunc.crc8) {
+			if (cf->can_dlc > 8)
+				goto out_delete;
+
 			(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
+		}
+
+		if (gwj->mod.csumfunc.xor) {
+			if (cf->can_dlc > 8)
+				goto out_delete;
 
-		if (gwj->mod.csumfunc.xor)
 			(*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor);
+		}
 	}
 
 	/* clear the skb timestamp if not configured the other way */
@@ -434,6 +450,14 @@ static void can_can_gw_rcv(struct sk_buf
 		gwj->dropped_frames++;
 	else
 		gwj->handled_frames++;
+
+	return;
+
+ out_delete:
+	/* delete frame due to misconfiguration */
+	gwj->deleted_frames++;
+	kfree_skb(nskb);
+	return;
 }
 
 static inline int cgw_register_filter(struct net *net, struct cgw_job *gwj)