Go to file
Oliver Hartkopp 0aaa81377c can: gw: ensure DLC boundaries after CAN frame modification
Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN
frame modification rule that makes the data length code a higher value than
the available CAN frame data size. In combination with a configured checksum
calculation where the result is stored relatively to the end of the data
(e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in
skb_shared_info) can be rewritten which finally can cause a system crash.

Michael Kubecek suggested to drop frames that have a DLC exceeding the
available space after the modification process and provided a patch that can
handle CAN FD frames too. Within this patch we also limit the length for the
checksum calculations to the maximum of Classic CAN data length (8).

CAN frames that are dropped by these additional checks are counted with the
CGW_DELETED counter which indicates misconfigurations in can-gw rules.

This fixes CVE-2019-3701.

Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Reported-by: Marcus Meissner <meissner@suse.de>
Suggested-by: Michal Kubecek <mkubecek@suse.cz>
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-07 05:17:51 -08:00
arch Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
block for-4.21/block-20190102 2019-01-02 18:49:58 -08:00
certs export.h: remove VMLINUX_SYMBOL() and VMLINUX_SYMBOL_STR() 2018-08-22 23:21:44 +09:00
crypto Kconfig updates for v4.21 2018-12-29 13:03:29 -08:00
Documentation Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-01-03 12:53:47 -08:00
drivers net/mlx4: replace pci_{,un}map_sg with dma_{,un}map_sg 2019-01-07 05:14:17 -08:00
firmware firmware: refactor firmware/Makefile 2018-12-23 10:10:32 +09:00
fs Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
include qed: Fix qed_chain_set_prod() for PBL chains with non power of 2 page count 2019-01-04 12:57:30 -08:00
init Merge tag 'devicetree-for-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux 2018-12-28 20:08:34 -08:00
ipc ipc: IPCMNI limit check for semmni 2018-10-31 08:54:14 -07:00
kernel Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
lib Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
LICENSES This is a fairly typical cycle for documentation. There's some welcome 2018-10-24 18:01:11 +01:00
mm Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
net can: gw: ensure DLC boundaries after CAN frame modification 2019-01-07 05:17:51 -08:00
samples Merge branch 'next-seccomp' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-01-02 09:48:13 -08:00
scripts Tracing changes for v4.21: 2018-12-31 11:46:59 -08:00
security Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
sound Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
tools selftests: net: fix/improve ip_defrag selftest 2019-01-04 13:38:39 -08:00
usr user/Makefile: Fix typo and capitalization in comment section 2018-12-11 00:18:03 +09:00
virt Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
.clang-format page cache: Convert find_get_pages_contig to XArray 2018-10-21 10:46:34 -04:00
.cocciconfig scripts: add Linux .cocciconfig for coccinelle 2016-07-22 12:13:39 +02:00
.get_maintainer.ignore
.gitattributes .gitattributes: set git diff driver for C source code files 2016-10-07 18:46:30 -07:00
.gitignore kbuild: Add support for DT binding schema checks 2018-12-13 09:41:32 -06:00
.mailmap Merge tag 'nand/for-4.21' of git://git.infradead.org/linux-mtd into mtd/next 2018-12-18 19:59:16 +01:00
COPYING COPYING: use the new text with points to the license files 2018-03-23 12:41:45 -06:00
CREDITS MAINTAINERS: update entry for MMP platform 2018-12-03 12:39:57 -08:00
Kbuild kbuild: remove unused cmd_gentimeconst 2018-12-25 00:10:30 +09:00
Kconfig kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt 2018-08-02 08:06:55 +09:00
MAINTAINERS Merge branch 'for-linus-4.21-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml 2019-01-02 18:39:22 -08:00
Makefile Kbuild updates for v4.21 2018-12-29 12:03:17 -08:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.