Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4563095imu; Tue, 29 Jan 2019 03:52:20 -0800 (PST) X-Google-Smtp-Source: ALg8bN5rjfOyV5Rk16iHjM8Zpjnw3PMeU8s3Gqp2zQJZ5ph5R7wgYIDTBAcZqlZH2I+e/t2sr8D+ X-Received: by 2002:a62:8add:: with SMTP id o90mr25633139pfk.210.1548762740623; Tue, 29 Jan 2019 03:52:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548762740; cv=none; d=google.com; s=arc-20160816; b=d8umex2iR5ELsIIKZ8AkK98lWjV8RWfdXvIR2OZyKxsGS/DEV6q1cyao3tdK9VxHZ0 iGIE0F300N4295Rrljq6wtdp08OLi5B/Tevym8gb1nD46ORM3MyQpRzf2XIbOiNRgx5u oOYkPZQN0KIZeElVpq2PtqY67aSjnzKKIWQkqoWSHzy4uhrSIJLIJsR8ZJLI/GrZScSa bSQVzoxEWpTJA3oz7wRnrmVNpSOUvBX3607XD56V+nOQN62CtQOgRRWZptnkaXu6Pds6 9JVEV2JSHcZ9GDm1PVdNmajbM205FHYF8CWThzJQ8M2Gao0Iv7jZPP0ch9Y0SfWplx36 hmIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Zk6DWdoo8JbQug0Z2ZxOcMwJA9X0PJxDJ/V0eVn1V5A=; b=GKYEuxcFD1bjhEm3QgoaP64/ZFaJlle46M+vxdYwx7g3IAkXR45ZVWxDdYYNPxb2mu OyhNs79mYYkw1XcVY8mMnRlGzhbfMFjbVZmFop8lrZyOhTA/ph/8B+uS332fsWhmtFbf cQcgfO6vYhYnMMQupeu5aht7bDYQjRAl7tQp5r3OkBIaegNxwUjJjOCOswesEfzO0QG5 cSjqNECsnilXrJm9GmhGYCEN/5+D9VTdMFPv6IhDWmhqCGdcszKz1VGe88YWlufQphAr q8o329QodcZpSRBDsResfXJHGZI0TuUhsaQMzCnEggKKsG+7IKN59ObI7lOrppeyaBBz +DSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nSc4DPaB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r138si36427684pgr.58.2019.01.29.03.52.05; Tue, 29 Jan 2019 03:52:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nSc4DPaB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732001AbfA2LwA (ORCPT + 99 others); Tue, 29 Jan 2019 06:52:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:43586 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731978AbfA2Lv5 (ORCPT ); Tue, 29 Jan 2019 06:51:57 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6EB7B2086C; Tue, 29 Jan 2019 11:51:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548762715; bh=HnGt8oK4+yt2IafODQItCyp0f+Gbqpg7wLhZ3Lt/yKU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nSc4DPaBPsHIgKNaN7D19aFjMITkb2E6R6Los8r3pNJe4XHX2x2T5xiCLXLiwqxbu eKbB52AcWwCGnwRSkQb0AJZenoZ0FLiXIg5ytVBI56dorQ1HTaXILwRO9eUdaAbO59 mR120Fcl6uIwZZ04ztvCd78GmE0s5cGMytIPrjs4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kyungtae Kim , Oliver Hartkopp , Andre Naujoks , Marc Kleine-Budde Subject: [PATCH 4.9 34/44] can: bcm: check timer values before ktime conversion Date: Tue, 29 Jan 2019 12:36:29 +0100 Message-Id: <20190129113142.685671251@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190129113139.826927690@linuxfoundation.org> References: <20190129113139.826927690@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Oliver Hartkopp commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream. Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup() when the conversion into ktime multiplies the given value with NSEC_PER_USEC (1000). Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2 Add a check for the given tv_usec, so that the value stays below one second. Additionally limit the tv_sec value to a reasonable value for CAN related use-cases of 400 days and ensure all values to be positive. Reported-by: Kyungtae Kim Tested-by: Oliver Hartkopp Signed-off-by: Oliver Hartkopp Cc: linux-stable # >= 2.6.26 Tested-by: Kyungtae Kim Acked-by: Andre Naujoks Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- net/can/bcm.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) --- a/net/can/bcm.c +++ b/net/can/bcm.c @@ -67,6 +67,9 @@ */ #define MAX_NFRAMES 256 +/* limit timers to 400 days for sending/timeouts */ +#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60) + /* use of last_frames[index].flags */ #define RX_RECV 0x40 /* received data for this element */ #define RX_THR 0x80 /* element not been sent due to throttle feature */ @@ -142,6 +145,22 @@ static inline ktime_t bcm_timeval_to_kti return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC); } +/* check limitations for timeval provided by user */ +static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head) +{ + if ((msg_head->ival1.tv_sec < 0) || + (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) || + (msg_head->ival1.tv_usec < 0) || + (msg_head->ival1.tv_usec >= USEC_PER_SEC) || + (msg_head->ival2.tv_sec < 0) || + (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) || + (msg_head->ival2.tv_usec < 0) || + (msg_head->ival2.tv_usec >= USEC_PER_SEC)) + return true; + + return false; +} + #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU) #define OPSIZ sizeof(struct bcm_op) #define MHSIZ sizeof(struct bcm_msg_head) @@ -884,6 +903,10 @@ static int bcm_tx_setup(struct bcm_msg_h if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) return -EINVAL; + /* check timeval limitations */ + if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) + return -EINVAL; + /* check the given can_id */ op = bcm_find_op(&bo->tx_ops, msg_head, ifindex); if (op) { @@ -1063,6 +1086,10 @@ static int bcm_rx_setup(struct bcm_msg_h (!(msg_head->can_id & CAN_RTR_FLAG)))) return -EINVAL; + /* check timeval limitations */ + if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head)) + return -EINVAL; + /* check the given can_id */ op = bcm_find_op(&bo->rx_ops, msg_head, ifindex); if (op) {