Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2687693pxb; Tue, 13 Apr 2021 07:54:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDZNYva8Z44F52Rd6qUG67zAU4ZhhOwuMMjFzIOklPthFJ873rqm7TbxpmCDhM4T1ttBvz X-Received: by 2002:a17:906:a51:: with SMTP id x17mr32797740ejf.25.1618325679338; Tue, 13 Apr 2021 07:54:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618325679; cv=none; d=google.com; s=arc-20160816; b=xxUCOdEH7pPTlbyWY5pjVA7dSptg5KX5z16vkbPIqA2FUWqDoszRaFvZgxq3PRZXtu ogoU0jSuxzwQKyWEEzmFVuaqv+mcIGn12lD7BRyMqFGrdIFN8G8Q8kD7hfhuHABukPX+ 0a3Wn83SndGwzUNG924Z9OYuqCmAQpsXBQz8QDqx5gbRvTisJjd/eeKWmuNt9WPt1XQD cBG2y8zB4VvxksBgDXULtwYI1o2f3UAoFuzE1pGJha5uakcLMhO+2Z2pQHWXIKtVE/sM tSHEhA2pJU9FbyJgh53Lc2zrVeZuBo9eo7I8idvt3B42bjDNSrnDVnlXIpbDqWC1ubaR NWeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=+s/UaSY6bie0ZB8SITM8bjnG564i1xiB7slm2z+4dzg=; b=UBP4KcuOM9ldTMD4gAGdhmfZAr2nqbnA0f7m48s+iiySB5q1TBsnJl4TuXLAE4dVww qqsQnbJYHLqryYuK8Bwku1DDsypRleNEp/9qggQ8D6vogWuoue4vkCVB09qetKMYxXC5 bb8/ZgKxVwYpB5SeXgy+G86pppsmL6T4RcNGAoODoERf5fLN4KwIHXZwjCvyWcbjlXmj O6v2J9GIHEQKEIUmcB/h81uJMDuF7vfaYz0JRCsqPkGOgn3L1cJ2ju9kzSldpQrwVcVA We79hqHx9BRVU5aFhkoVLLa8KrqG3HqOQeZBZ2HCzfMtTLNW09Nal+cdhMQ+Q21sVLKN 3EOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y8si10733459edw.487.2021.04.13.07.54.15; Tue, 13 Apr 2021 07:54:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238118AbhDMLnV (ORCPT + 99 others); Tue, 13 Apr 2021 07:43:21 -0400 Received: from smtp11.smtpout.orange.fr ([80.12.242.133]:19239 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238852AbhDMLnU (ORCPT ); Tue, 13 Apr 2021 07:43:20 -0400 Received: from tomoyo.flets-east.jp ([153.202.107.157]) by mwinf5d89 with ME id sBio2400A3PnFJp03Biwal; Tue, 13 Apr 2021 13:43:00 +0200 X-ME-Helo: tomoyo.flets-east.jp X-ME-Auth: bWFpbGhvbC52aW5jZW50QHdhbmFkb28uZnI= X-ME-Date: Tue, 13 Apr 2021 13:43:00 +0200 X-ME-IP: 153.202.107.157 From: Vincent Mailhol To: Marc Kleine-Budde , linux-can@vger.kernel.org Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Arunachalam Santhanam , "David S . Miller" , Jakub Kicinski , Vincent Mailhol Subject: [PATCH] can: etas_es58x: fix null pointer dereference when handling error frames Date: Tue, 13 Apr 2021 20:42:42 +0900 Message-Id: <20210413114242.2760-1-mailhol.vincent@wanadoo.fr> X-Mailer: git-send-email 2.26.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org During the handling of CAN bus errors, a CAN error SKB is allocated using alloc_can_err_skb(). Even if the allocation of the SKB fails, the function continues in order to do the stats handling. All access to the can_frame pointer (cf) should be guarded by an if statement: if (cf) However, the increment of the rx_bytes stats: netdev->stats.rx_bytes += cf->can_dlc; dereferences the cf pointer and was not guarded by an if condition leading to a NULL pointer dereference if the can_err_skb() function failed. Replacing the cf->can_dlc by the macro CAN_ERR_DLC (which is the length of any CAN error frames) solves this NULL pointer dereference. Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") Reported-by: Arunachalam Santhanam Signed-off-by: Vincent Mailhol --- Hi Marc, I am really sorry, but I was just notified about this issue litteraly a few minutes after you send the pull request to net-next. I am not sure how to proceed. You might either cancel the pull request and squash this to 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") or send it as a separate patch. Please let me know if you need me to do anything. Yours sincerely, Vincent Mailhol --- drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c index 7222b3b6ca46..57e5f94468e9 100644 --- a/drivers/net/can/usb/etas_es58x/es58x_core.c +++ b/drivers/net/can/usb/etas_es58x/es58x_core.c @@ -856,7 +856,7 @@ int es58x_rx_err_msg(struct net_device *netdev, enum es58x_err error, * consistency. */ netdev->stats.rx_packets++; - netdev->stats.rx_bytes += cf->can_dlc; + netdev->stats.rx_bytes += CAN_ERR_DLC; if (cf) { if (cf->data[1]) -- 2.26.3