Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5033516ybl;
        Tue, 14 Jan 2020 02:20:02 -0800 (PST)
X-Google-Smtp-Source: APXvYqzMSfN6jn+4S4YRJ6mtk5JDQEZzu7Zqghjm9cAQDogtnqy/S+9MG6ANPZCdIRexUD+UWlfN
X-Received: by 2002:a05:6830:1149:: with SMTP id x9mr16988310otq.156.1578997201872;
        Tue, 14 Jan 2020 02:20:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578997201; cv=none;
        d=google.com; s=arc-20160816;
        b=S1iA0xYnCP16TtTATuMCmrWE0midqST9xmk7oMhatTyIYYSbn8CO4hrzar4FN/lEI0
         RFmX+ISTqx0Q19mh4tyQIEOT12pR3sodAK7FSjVIKFlgfp8bVhAhEU2VM0xdlg9esKlz
         DWTY28SlbgsnzpNpkY1AQQ6LIoefWuW9NmMGzB6RMPSNP0MIPC8sGe53phC2aS71GA+5
         d9isqzzQAlZ/saIM5llbwpjm3av9t/mtuUcAQWR7U0o1vme6xSj6x2kKWHW/6n5szeZY
         8KILKfSVrM5hWfb2D6k+9eWkVM3LtzqldyiyUkw2GWvCkdGI74ENTg6LtAbuOmUx4TrY
         xflw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=hijgDoePQP+HhcSB0R60uz3nv3/4XwMYdd7rKh0Aaww=;
        b=KLyXIt7nP9DvJsrhXxRbPw+nbysCqs5vAz9QSTwONR6k2e0nJMgyfB8D93Dm8HJlM5
         fcvnWPjFeMKxB7WDYvQWbgu/Xky0PeOl1BpFsuf/BwRpMepScFnm+Oqul9lnkbwoQcrU
         Gcv0h3G6s9IY+BnrTFmlkdlSqpZowYB1JFTi3oQsT/vz1m7icke4glww1GVD2saTeffZ
         OTlACePe/Ea4la/HjnwotSPbEYTa+1h4mKpOUNW49GQLYzelS8HoJVVo7WzNyMIo4se5
         MEXigGGtfZLMASut+LIDe7riGx8CjKLmtlUZEhcZJ43Skq6swY90pXlGG3TMKe45+zgN
         OL+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=C6gUs0X2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 19si7189100oiq.128.2020.01.14.02.19.51;
        Tue, 14 Jan 2020 02:20:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=C6gUs0X2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730514AbgANKSf (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Tue, 14 Jan 2020 05:18:35 -0500
Received: from mail.kernel.org ([198.145.29.99]:37956 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730287AbgANKHe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jan 2020 05:07:34 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8146E24679;
        Tue, 14 Jan 2020 10:07:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1578996453;
        bh=EzNgiiWZ33n+Hg8gPGnUEB6TwMW3CwgI6GJIxqhBaLE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=C6gUs0X2OwfSWddcaHwhHnEE9DBqDW90UBnVucWzFnbwZPcLzM47CsS+ykCxspi0E
         lvlb2v8IjZT2GzbQMewPdC9oNemB4cmE37y0Ug9BDKEIv6zMv3WAsH+AaE/s47x0Ql
         WO1FJJRyxaahZ/F5eeBtf7Ce0sg7t4+31ndANH7U=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com,
        Oliver Hartkopp <socketcan@hartkopp.net>,
        Marc Kleine-Budde <mkl@pengutronix.de>
Subject: [PATCH 4.19 22/46] can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs
Date:   Tue, 14 Jan 2020 11:01:39 +0100
Message-Id: <20200114094344.962581194@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200114094339.608068818@linuxfoundation.org>
References: <20200114094339.608068818@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit e7153bf70c3496bac00e7e4f395bb8d8394ac0ea upstream.

KMSAN sysbot detected a read access to an untinitialized value in the
headroom of an outgoing CAN related sk_buff. When using CAN sockets this
area is filled appropriately - but when using a packet socket this
initialization is missing.

The problematic read access occurs in the CAN receive path which can
only be triggered when the sk_buff is sent through a (virtual) CAN
interface. So we check in the sending path whether we need to perform
the missing initializations.

Fixes: d3b58c47d330d ("can: replace timestamp as unique skb attribute")
Reported-by: syzbot+b02ff0707a97e4e79ebb@syzkaller.appspotmail.com
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= v4.1
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/can/dev.h |   34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

--- a/include/linux/can/dev.h
+++ b/include/linux/can/dev.h
@@ -18,6 +18,7 @@
 #include <linux/can/error.h>
 #include <linux/can/led.h>
 #include <linux/can/netlink.h>
+#include <linux/can/skb.h>
 #include <linux/netdevice.h>
 
 /*
@@ -91,6 +92,36 @@ struct can_priv {
 #define get_can_dlc(i)		(min_t(__u8, (i), CAN_MAX_DLC))
 #define get_canfd_dlc(i)	(min_t(__u8, (i), CANFD_MAX_DLC))
 
+/* Check for outgoing skbs that have not been created by the CAN subsystem */
+static inline bool can_skb_headroom_valid(struct net_device *dev,
+					  struct sk_buff *skb)
+{
+	/* af_packet creates a headroom of HH_DATA_MOD bytes which is fine */
+	if (WARN_ON_ONCE(skb_headroom(skb) < sizeof(struct can_skb_priv)))
+		return false;
+
+	/* af_packet does not apply CAN skb specific settings */
+	if (skb->ip_summed == CHECKSUM_NONE) {
+		/* init headroom */
+		can_skb_prv(skb)->ifindex = dev->ifindex;
+		can_skb_prv(skb)->skbcnt = 0;
+
+		skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+		/* preform proper loopback on capable devices */
+		if (dev->flags & IFF_ECHO)
+			skb->pkt_type = PACKET_LOOPBACK;
+		else
+			skb->pkt_type = PACKET_HOST;
+
+		skb_reset_mac_header(skb);
+		skb_reset_network_header(skb);
+		skb_reset_transport_header(skb);
+	}
+
+	return true;
+}
+
 /* Drop a given socketbuffer if it does not contain a valid CAN frame. */
 static inline bool can_dropped_invalid_skb(struct net_device *dev,
 					  struct sk_buff *skb)
@@ -108,6 +139,9 @@ static inline bool can_dropped_invalid_s
 	} else
 		goto inval_skb;
 
+	if (!can_skb_headroom_valid(dev, skb))
+		goto inval_skb;
+
 	return false;
 
 inval_skb: