Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp5620080rwl; Tue, 4 Apr 2023 00:48:25 -0700 (PDT) X-Google-Smtp-Source: AKy350a1ACUkIDyqjM6SjR78eh3SgM4NXg9Y6zFPHihP4UDqmkgTM3Ke4vFwgv0K9jvaJvIkJK1u X-Received: by 2002:a17:902:e884:b0:19e:9807:de48 with SMTP id w4-20020a170902e88400b0019e9807de48mr2399452plg.23.1680594504890; Tue, 04 Apr 2023 00:48:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680594504; cv=none; d=google.com; s=arc-20160816; b=u6Q0cK/mYefNsD4EnB7y+aBzNLJuJvCKRZkN5VuRCOmFIKRkdz6+XP2ieiPo/tnun+ o1BQaO1xepLzO0HZ+XoWep73nrS10qWM5pENgf28ediAdCLAnzifGuJaCekFuSqTWWlR sNtmwshwwcnfpDY6+1T0H5zgQzgSLuU1Bys325nEmNTVBYDmCkQBCIyaXzwhQe2b7YmS On4N58eCGxHbY1+Vhas4BMvDVTP8Eswg9IckImUBgOoIvRalucaFhfB5BtMGBsxHr1UK WFe3WvLtjyxsYzJfzbj1V3x1Px/W6L1LINSVhnML/Jtyy9Nu5ohw/ogs5O+ZwBj4BN2/ NR6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=vZ1JbATifeJGnJE3aOjuTULPft7hrha4c+jrLk2rsjA=; b=hI2iZw0JbFhfQh0N5hTCaYcvpmwVE9qt2IdeUOxterd1sZikcQIzznm9/9o+DhIFTN /sKvZnoU6WZ0/4dhPMK+rRT39D7hDAmPf8Qo22+ZMadPGfOpIZ7UG7tyb9f01IYwlx/H YCvwdpLlggAQRpciz8XaLsXkUC7tez/T68tTT3RoSXLFfwvvdDGMxOFEcBA1I8Fn2HFR Juj071Ccrvi2X9aU8divBTZpiM7LOegcrcYgbYwYrd77jRJpUz4GlJ0fruq5ZLS3TDv+ Yf3Btna+wO9K2E1sif/w0k2pL5L9bAJq1vpzENF9kVjqP8v7Zoh2z4lvpdUp/Hzx1pyG 1Urw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a17090311d100b001927e835ffasi10306877plh.119.2023.04.04.00.48.12; Tue, 04 Apr 2023 00:48:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233558AbjDDHbq (ORCPT + 99 others); Tue, 4 Apr 2023 03:31:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233585AbjDDHbp (ORCPT ); Tue, 4 Apr 2023 03:31:45 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 988AF10D3 for ; Tue, 4 Apr 2023 00:31:41 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pjb8g-00088U-N1; Tue, 04 Apr 2023 09:31:34 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1pjb8c-008rdY-LS; Tue, 04 Apr 2023 09:31:30 +0200 Received: from ore by dude04.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1pjb8b-00DJgH-LJ; Tue, 04 Apr 2023 09:31:29 +0200 From: Oleksij Rempel To: Robin van der Gracht , Oliver Hartkopp , Marc Kleine-Budde Cc: Oleksij Rempel , Shuangpeng Bai , kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1] net: can: j1939: Fix out-of-bounds memory access in j1939_tp_tx_dat_new Date: Tue, 4 Apr 2023 09:31:28 +0200 Message-Id: <20230404073128.3173900-1-o.rempel@pengutronix.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: ore@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the j1939_tp_tx_dat_new function, an out-of-bounds memory access could occur during the memcpy operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. To address this issue, we have updated the memcpy operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, a static_assert has been added to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Reported-by: Shuangpeng Bai Tested-by: Shuangpeng Bai Signed-off-by: Oleksij Rempel --- net/can/j1939/transport.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index fb92c3609e17..fe3df23a2595 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j1939_priv *priv, /* reserve CAN header */ skb_reserve(skb, offsetof(struct can_frame, data)); - memcpy(skb->cb, re_skcb, sizeof(skb->cb)); + /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */ + BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb)); + + memcpy(skb->cb, re_skcb, sizeof(*re_skcb)); skcb = j1939_skb_to_cb(skb); if (swap_src_dst) j1939_skbcb_swap(skcb); -- 2.39.2