linux/net/can/j1939/j1939-priv.h
Oleksij Rempel efe7cf8280 can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
modifies jsk->filters while receiving packets.

Following trace was seen on affected system:
 ==================================================================
 BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
 Read of size 4 at addr ffff888012144014 by task j1939/350

 CPU: 0 PID: 350 Comm: j1939 Tainted: G        W  OE      6.5.0-rc5 #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 Call Trace:
  print_report+0xd3/0x620
  ? kasan_complete_mode_report_info+0x7d/0x200
  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
  kasan_report+0xc2/0x100
  ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
  __asan_load4+0x84/0xb0
  j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
  j1939_sk_recv+0x20b/0x320 [can_j1939]
  ? __kasan_check_write+0x18/0x20
  ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
  ? j1939_simple_recv+0x69/0x280 [can_j1939]
  ? j1939_ac_recv+0x5e/0x310 [can_j1939]
  j1939_can_recv+0x43f/0x580 [can_j1939]
  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
  ? raw_rcv+0x42/0x3c0 [can_raw]
  ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
  can_rcv_filter+0x11f/0x350 [can]
  can_receive+0x12f/0x190 [can]
  ? __pfx_can_rcv+0x10/0x10 [can]
  can_rcv+0xdd/0x130 [can]
  ? __pfx_can_rcv+0x10/0x10 [can]
  __netif_receive_skb_one_core+0x13d/0x150
  ? __pfx___netif_receive_skb_one_core+0x10/0x10
  ? __kasan_check_write+0x18/0x20
  ? _raw_spin_lock_irq+0x8c/0xe0
  __netif_receive_skb+0x23/0xb0
  process_backlog+0x107/0x260
  __napi_poll+0x69/0x310
  net_rx_action+0x2a1/0x580
  ? __pfx_net_rx_action+0x10/0x10
  ? __pfx__raw_spin_lock+0x10/0x10
  ? handle_irq_event+0x7d/0xa0
  __do_softirq+0xf3/0x3f8
  do_softirq+0x53/0x80
  </IRQ>
  <TASK>
  __local_bh_enable_ip+0x6e/0x70
  netif_rx+0x16b/0x180
  can_send+0x32b/0x520 [can]
  ? __pfx_can_send+0x10/0x10 [can]
  ? __check_object_size+0x299/0x410
  raw_sendmsg+0x572/0x6d0 [can_raw]
  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
  ? apparmor_socket_sendmsg+0x2f/0x40
  ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
  sock_sendmsg+0xef/0x100
  sock_write_iter+0x162/0x220
  ? __pfx_sock_write_iter+0x10/0x10
  ? __rtnl_unlock+0x47/0x80
  ? security_file_permission+0x54/0x320
  vfs_write+0x6ba/0x750
  ? __pfx_vfs_write+0x10/0x10
  ? __fget_light+0x1ca/0x1f0
  ? __rcu_read_unlock+0x5b/0x280
  ksys_write+0x143/0x170
  ? __pfx_ksys_write+0x10/0x10
  ? __kasan_check_read+0x15/0x20
  ? fpregs_assert_state_consistent+0x62/0x70
  __x64_sys_write+0x47/0x60
  do_syscall_64+0x60/0x90
  ? do_syscall_64+0x6d/0x90
  ? irqentry_exit+0x3f/0x50
  ? exc_page_fault+0x79/0xf0
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8

 Allocated by task 348:
  kasan_save_stack+0x2a/0x50
  kasan_set_track+0x29/0x40
  kasan_save_alloc_info+0x1f/0x30
  __kasan_kmalloc+0xb5/0xc0
  __kmalloc_node_track_caller+0x67/0x160
  j1939_sk_setsockopt+0x284/0x450 [can_j1939]
  __sys_setsockopt+0x15c/0x2f0
  __x64_sys_setsockopt+0x6b/0x80
  do_syscall_64+0x60/0x90
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8

 Freed by task 349:
  kasan_save_stack+0x2a/0x50
  kasan_set_track+0x29/0x40
  kasan_save_free_info+0x2f/0x50
  __kasan_slab_free+0x12e/0x1c0
  __kmem_cache_free+0x1b9/0x380
  kfree+0x7a/0x120
  j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
  __sys_setsockopt+0x15c/0x2f0
  __x64_sys_setsockopt+0x6b/0x80
  do_syscall_64+0x60/0x90
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Fixes: 9d71dd0c70 ("can: add support of SAE J1939 protocol")
Reported-by: Sili Luo <rootlab@huawei.com>
Suggested-by: Sili Luo <rootlab@huawei.com>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2024-02-14 13:53:03 +01:00

345 lines
9.5 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
// Copyright (c) 2010-2011 EIA Electronics,
// Kurt Van Dijck <kurt.van.dijck@eia.be>
// Copyright (c) 2017-2019 Pengutronix,
// Marc Kleine-Budde <kernel@pengutronix.de>
// Copyright (c) 2017-2019 Pengutronix,
// Oleksij Rempel <kernel@pengutronix.de>
#ifndef _J1939_PRIV_H_
#define _J1939_PRIV_H_
#include <linux/can/j1939.h>
#include <net/sock.h>
/* Timeout to receive the abort signal over loop back. In case CAN
* bus is open, the timeout should be triggered.
*/
#define J1939_XTP_ABORT_TIMEOUT_MS 500
#define J1939_SIMPLE_ECHO_TIMEOUT_MS (10 * 1000)
struct j1939_session;
enum j1939_sk_errqueue_type {
J1939_ERRQUEUE_TX_ACK,
J1939_ERRQUEUE_TX_SCHED,
J1939_ERRQUEUE_TX_ABORT,
J1939_ERRQUEUE_RX_RTS,
J1939_ERRQUEUE_RX_DPO,
J1939_ERRQUEUE_RX_ABORT,
};
/* j1939 devices */
struct j1939_ecu {
struct list_head list;
name_t name;
u8 addr;
/* indicates that this ecu successfully claimed @sa as its address */
struct hrtimer ac_timer;
struct kref kref;
struct j1939_priv *priv;
/* count users, to help transport protocol decide for interaction */
int nusers;
};
struct j1939_priv {
struct list_head ecus;
/* local list entry in priv
* These allow irq (& softirq) context lookups on j1939 devices
* This approach (separate lists) is done as the other 2 alternatives
* are not easier or even wrong
* 1) using the pure kobject methods involves mutexes, which are not
* allowed in irq context.
* 2) duplicating data structures would require a lot of synchronization
* code
* usage:
*/
/* segments need a lock to protect the above list */
rwlock_t lock;
struct net_device *ndev;
/* list of 256 ecu ptrs, that cache the claimed addresses.
* also protected by the above lock
*/
struct j1939_addr_ent {
struct j1939_ecu *ecu;
/* count users, to help transport protocol */
int nusers;
} ents[256];
struct kref kref;
/* List of active sessions to prevent start of conflicting
* one.
*
* Do not start two sessions of same type, addresses and
* direction.
*/
struct list_head active_session_list;
/* protects active_session_list */
spinlock_t active_session_list_lock;
unsigned int tp_max_packet_size;
/* lock for j1939_socks list */
rwlock_t j1939_socks_lock;
struct list_head j1939_socks;
struct kref rx_kref;
u32 rx_tskey;
};
void j1939_ecu_put(struct j1939_ecu *ecu);
/* keep the cache of what is local */
int j1939_local_ecu_get(struct j1939_priv *priv, name_t name, u8 sa);
void j1939_local_ecu_put(struct j1939_priv *priv, name_t name, u8 sa);
static inline bool j1939_address_is_unicast(u8 addr)
{
return addr <= J1939_MAX_UNICAST_ADDR;
}
static inline bool j1939_address_is_idle(u8 addr)
{
return addr == J1939_IDLE_ADDR;
}
static inline bool j1939_address_is_valid(u8 addr)
{
return addr != J1939_NO_ADDR;
}
static inline bool j1939_pgn_is_pdu1(pgn_t pgn)
{
/* ignore dp & res bits for this */
return (pgn & 0xff00) < 0xf000;
}
/* utility to correctly unmap an ECU */
void j1939_ecu_unmap_locked(struct j1939_ecu *ecu);
void j1939_ecu_unmap(struct j1939_ecu *ecu);
u8 j1939_name_to_addr(struct j1939_priv *priv, name_t name);
struct j1939_ecu *j1939_ecu_find_by_addr_locked(struct j1939_priv *priv,
u8 addr);
struct j1939_ecu *j1939_ecu_get_by_addr(struct j1939_priv *priv, u8 addr);
struct j1939_ecu *j1939_ecu_get_by_addr_locked(struct j1939_priv *priv,
u8 addr);
struct j1939_ecu *j1939_ecu_get_by_name(struct j1939_priv *priv, name_t name);
struct j1939_ecu *j1939_ecu_get_by_name_locked(struct j1939_priv *priv,
name_t name);
enum j1939_transfer_type {
J1939_TP,
J1939_ETP,
J1939_SIMPLE,
};
struct j1939_addr {
name_t src_name;
name_t dst_name;
pgn_t pgn;
u8 sa;
u8 da;
u8 type;
};
/* control buffer of the sk_buff */
struct j1939_sk_buff_cb {
/* Offset in bytes within one ETP session */
u32 offset;
/* for tx, MSG_SYN will be used to sync on sockets */
u32 msg_flags;
u32 tskey;
struct j1939_addr addr;
/* Flags for quick lookups during skb processing.
* These are set in the receive path only.
*/
#define J1939_ECU_LOCAL_SRC BIT(0)
#define J1939_ECU_LOCAL_DST BIT(1)
u8 flags;
priority_t priority;
};
static inline
struct j1939_sk_buff_cb *j1939_skb_to_cb(const struct sk_buff *skb)
{
BUILD_BUG_ON(sizeof(struct j1939_sk_buff_cb) > sizeof(skb->cb));
return (struct j1939_sk_buff_cb *)skb->cb;
}
int j1939_send_one(struct j1939_priv *priv, struct sk_buff *skb);
void j1939_sk_recv(struct j1939_priv *priv, struct sk_buff *skb);
bool j1939_sk_recv_match(struct j1939_priv *priv,
struct j1939_sk_buff_cb *skcb);
void j1939_sk_send_loop_abort(struct sock *sk, int err);
void j1939_sk_errqueue(struct j1939_session *session,
enum j1939_sk_errqueue_type type);
void j1939_sk_queue_activate_next(struct j1939_session *session);
/* stack entries */
struct j1939_session *j1939_tp_send(struct j1939_priv *priv,
struct sk_buff *skb, size_t size);
int j1939_tp_recv(struct j1939_priv *priv, struct sk_buff *skb);
int j1939_ac_fixup(struct j1939_priv *priv, struct sk_buff *skb);
void j1939_ac_recv(struct j1939_priv *priv, struct sk_buff *skb);
void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb);
/* network management */
struct j1939_ecu *j1939_ecu_create_locked(struct j1939_priv *priv, name_t name);
void j1939_ecu_timer_start(struct j1939_ecu *ecu);
void j1939_ecu_timer_cancel(struct j1939_ecu *ecu);
void j1939_ecu_unmap_all(struct j1939_priv *priv);
struct j1939_priv *j1939_netdev_start(struct net_device *ndev);
void j1939_netdev_stop(struct j1939_priv *priv);
void j1939_priv_put(struct j1939_priv *priv);
void j1939_priv_get(struct j1939_priv *priv);
/* notify/alert all j1939 sockets bound to ifindex */
void j1939_sk_netdev_event_netdown(struct j1939_priv *priv);
int j1939_cancel_active_session(struct j1939_priv *priv, struct sock *sk);
void j1939_tp_init(struct j1939_priv *priv);
/* decrement pending skb for a j1939 socket */
void j1939_sock_pending_del(struct sock *sk);
enum j1939_session_state {
J1939_SESSION_NEW,
J1939_SESSION_ACTIVE,
/* waiting for abort signal on the bus */
J1939_SESSION_WAITING_ABORT,
J1939_SESSION_ACTIVE_MAX,
J1939_SESSION_DONE,
};
struct j1939_session {
struct j1939_priv *priv;
struct list_head active_session_list_entry;
struct list_head sk_session_queue_entry;
struct kref kref;
struct sock *sk;
/* ifindex, src, dst, pgn define the session block
* the are _never_ modified after insertion in the list
* this decreases locking problems a _lot_
*/
struct j1939_sk_buff_cb skcb;
struct sk_buff_head skb_queue;
/* all tx related stuff (last_txcmd, pkt.tx)
* is protected (modified only) with the txtimer hrtimer
* 'total' & 'block' are never changed,
* last_cmd, last & block are protected by ->lock
* this means that the tx may run after cts is received that should
* have stopped tx, but this time discrepancy is never avoided anyhow
*/
u8 last_cmd, last_txcmd;
bool transmission;
bool extd;
/* Total message size, number of bytes */
unsigned int total_message_size;
/* Total number of bytes queue from socket to the session */
unsigned int total_queued_size;
unsigned int tx_retry;
int err;
u32 tskey;
enum j1939_session_state state;
/* Packets counters for a (extended) transfer session. The packet is
* maximal of 7 bytes.
*/
struct {
/* total - total number of packets for this session */
unsigned int total;
/* last - last packet of a transfer block after which
* responder should send ETP.CM_CTS and originator
* ETP.CM_DPO
*/
unsigned int last;
/* tx - number of packets send by originator node.
* this counter can be set back if responder node
* didn't received all packets send by originator.
*/
unsigned int tx;
unsigned int tx_acked;
/* rx - number of packets received */
unsigned int rx;
/* block - amount of packets expected in one block */
unsigned int block;
/* dpo - ETP.CM_DPO, Data Packet Offset */
unsigned int dpo;
} pkt;
struct hrtimer txtimer, rxtimer;
};
struct j1939_sock {
struct sock sk; /* must be first to skip with memset */
struct j1939_priv *priv;
struct list_head list;
#define J1939_SOCK_BOUND BIT(0)
#define J1939_SOCK_CONNECTED BIT(1)
#define J1939_SOCK_PROMISC BIT(2)
#define J1939_SOCK_ERRQUEUE BIT(3)
int state;
int ifindex;
struct j1939_addr addr;
spinlock_t filters_lock;
struct j1939_filter *filters;
int nfilters;
pgn_t pgn_rx_filter;
/* j1939 may emit equal PGN (!= equal CAN-id's) out of order
* when transport protocol comes in.
* To allow emitting in order, keep a 'pending' nr. of packets
*/
atomic_t skb_pending;
wait_queue_head_t waitq;
/* lock for the sk_session_queue list */
spinlock_t sk_session_queue_lock;
struct list_head sk_session_queue;
};
static inline struct j1939_sock *j1939_sk(const struct sock *sk)
{
return container_of(sk, struct j1939_sock, sk);
}
void j1939_session_get(struct j1939_session *session);
void j1939_session_put(struct j1939_session *session);
void j1939_session_skb_queue(struct j1939_session *session,
struct sk_buff *skb);
int j1939_session_activate(struct j1939_session *session);
void j1939_tp_schedule_txtimer(struct j1939_session *session, int msec);
void j1939_session_timers_cancel(struct j1939_session *session);
#define J1939_MIN_TP_PACKET_SIZE 9
#define J1939_MAX_TP_PACKET_SIZE (7 * 0xff)
#define J1939_MAX_ETP_PACKET_SIZE (7 * 0x00ffffff)
#define J1939_REGULAR 0
#define J1939_EXTENDED 1
/* CAN protocol */
extern const struct can_proto j1939_can_proto;
#endif /* _J1939_PRIV_H_ */