Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp650853pxb; Tue, 5 Apr 2022 17:20:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztMR3K14XF1TRjZ7it+zLDXxpFmFTU33U0NysVCJEDQj0aLsPACKXNSi4E1JyvFV7RqW7s X-Received: by 2002:a17:903:216:b0:156:1e8d:a81 with SMTP id r22-20020a170903021600b001561e8d0a81mr5901765plh.140.1649204411478; Tue, 05 Apr 2022 17:20:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649204411; cv=none; d=google.com; s=arc-20160816; b=A7jJe5YUD1xFmFFy+0fD4q+lAyNF8+sHVeOVJPzRZlIFqPryY36j1py0MuIm/4xeJl 5r1keGaM5k3Jj2wdvzGa6djmxImBlc4SH/XPmVCm5iAH4/BCyRvMrT969qwlzQBT3UWs K/blN8ormhsoJ8cXMBI8Myi0majJ6JpFQpCjYu1AZLDjdVwvLIYaoDrGABHZ3F5ntigz BAshwiTKVXlRXg6ui6Ihln6NOiUytVCO20L0YQQd9sslhVZCO0hYn1wiYtvG9ZrUB/Eo dXO8RhkfGZPwaRjSwbvOoV2FM0LNDANNrdZMQUcxuJhomSuL+LK4DFUo6Oouu22aFkvz vgmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JhhZbN9g879DmKOaOy19wRA+2W+VpWO9fW4LR58cL4s=; b=vKlpRYvSefLci6fv1o9nXWOe56ei4yzZtEy8t4P5QP4IYuHjo40XnRz2bnUQeGWQ6e MYJbKl/uGJQfJPvpZlz+Z+ZRGrzoHTHU/8O/62asvkZBZpAkiVuqIR9Xy+vZfG+E3ib4 /P5ZVYc1EOIUC0Vl934y4lhxqbdhEKgKMHXnii9Pd8/ZNiugpLfRXFgJoZF7hcFcUMr5 vWtRpm8Plqfxcdn6Ucvg5d3D1AlgcrTkHj8MUMJ2vJ6m/5Gaor1Q6DZSsNf69mZVsVeE 8NpsodQadqa9OB6bXxCHwUtJHvU/+ZOl9FbBAgZv+Pzeb/cpnT9vA9SfgJaPHJ6GM4kM dlfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=unM3H+u0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id m9-20020a056a00080900b004fa3a8dffc6si15511945pfk.125.2022.04.05.17.20.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 17:20:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=unM3H+u0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C304018DAB8; Tue, 5 Apr 2022 17:06:05 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1383753AbiDEM0Y (ORCPT + 99 others); Tue, 5 Apr 2022 08:26:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240972AbiDEIsW (ORCPT ); Tue, 5 Apr 2022 04:48:22 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AC2627CE4; Tue, 5 Apr 2022 01:36:38 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DF09FB81C19; Tue, 5 Apr 2022 08:36:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3A808C385A0; Tue, 5 Apr 2022 08:36:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649147794; bh=SFZhGojlTJsFtEcOoR6TsDZqCuHRKYKgaXsoBWxvPMc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=unM3H+u0TsIoMABySbqalihJMTQYC1hlE4XhqG9MQfWhA8kN/daEHsNdBkmhyrqV/ uEunVVG29uXfeZhmHtogRgHCpcZ1GBqKQAmMz9cHnrWVgYCyKO+5ykvMdn1VRJLL2V ukhcSyAKmgQRgvJjt4xL8Zsyi4EvH9tUytTUnM0s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com, Oliver Hartkopp , Marc Kleine-Budde Subject: [PATCH 5.16 0125/1017] can: isotp: sanitize CAN ID checks in isotp_bind() Date: Tue, 5 Apr 2022 09:17:18 +0200 Message-Id: <20220405070357.909829068@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oliver Hartkopp commit 3ea566422cbde9610c2734980d1286ab681bb40e upstream. Syzbot created an environment that lead to a state machine status that can not be reached with a compliant CAN ID address configuration. The provided address information consisted of CAN ID 0x6000001 and 0xC28001 which both boil down to 11 bit CAN IDs 0x001 in sending and receiving. Sanitize the SFF/EFF CAN ID values before performing the address checks. Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://lore.kernel.org/all/20220316164258.54155-1-socketcan@hartkopp.net Reported-by: syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman --- net/can/isotp.c | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -1104,6 +1104,7 @@ static int isotp_bind(struct socket *soc struct net *net = sock_net(sk); int ifindex; struct net_device *dev; + canid_t tx_id, rx_id; int err = 0; int notify_enetdown = 0; int do_rx_reg = 1; @@ -1111,8 +1112,18 @@ static int isotp_bind(struct socket *soc if (len < ISOTP_MIN_NAMELEN) return -EINVAL; - if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) - return -EADDRNOTAVAIL; + /* sanitize tx/rx CAN identifiers */ + tx_id = addr->can_addr.tp.tx_id; + if (tx_id & CAN_EFF_FLAG) + tx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK); + else + tx_id &= CAN_SFF_MASK; + + rx_id = addr->can_addr.tp.rx_id; + if (rx_id & CAN_EFF_FLAG) + rx_id &= (CAN_EFF_FLAG | CAN_EFF_MASK); + else + rx_id &= CAN_SFF_MASK; if (!addr->can_ifindex) return -ENODEV; @@ -1124,21 +1135,13 @@ static int isotp_bind(struct socket *soc do_rx_reg = 0; /* do not validate rx address for functional addressing */ - if (do_rx_reg) { - if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) { - err = -EADDRNOTAVAIL; - goto out; - } - - if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) { - err = -EADDRNOTAVAIL; - goto out; - } + if (do_rx_reg && rx_id == tx_id) { + err = -EADDRNOTAVAIL; + goto out; } if (so->bound && addr->can_ifindex == so->ifindex && - addr->can_addr.tp.rx_id == so->rxid && - addr->can_addr.tp.tx_id == so->txid) + rx_id == so->rxid && tx_id == so->txid) goto out; dev = dev_get_by_index(net, addr->can_ifindex); @@ -1162,8 +1165,7 @@ static int isotp_bind(struct socket *soc ifindex = dev->ifindex; if (do_rx_reg) - can_rx_register(net, dev, addr->can_addr.tp.rx_id, - SINGLE_MASK(addr->can_addr.tp.rx_id), + can_rx_register(net, dev, rx_id, SINGLE_MASK(rx_id), isotp_rcv, sk, "isotp", sk); dev_put(dev); @@ -1183,8 +1185,8 @@ static int isotp_bind(struct socket *soc /* switch to new settings */ so->ifindex = ifindex; - so->rxid = addr->can_addr.tp.rx_id; - so->txid = addr->can_addr.tp.tx_id; + so->rxid = rx_id; + so->txid = tx_id; so->bound = 1; out: