From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Date: Tue, 25 Feb 2020 21:32:41 +0100
> On 1/30/20 2:30 PM, Oliver Hartkopp wrote:
>> Since commit 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
>> device struct can_dev_rcv_lists") the device specific CAN receive filter lists
>> are stored in netdev_priv() and dev->ml_priv points to these filters.
>>
>> In the bug report Syzkaller enslaved a vxcan1 CAN device and accessed the
>> bonding device with a PF_CAN socket which lead to a crash due to an access of
>> an unhandled bond_dev->ml_priv pointer.
>>
>> Deny to enslave CAN devices by the bonding driver as the resulting bond_dev
>> pretends to be a CAN device by copying dev->type without really being one.
>>
>> Reported-by: syzbot+c3ea30e1e2485573f953@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Fixes: 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
>> device struct can_dev_rcv_lists")
>> Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v5.4
>> Signed-off-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
> Acked-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
>
> What's the preferred to upstream this? I could take this via the
> linux-can tree.
What I don't get is why the PF_CAN is blindly dereferencing a device
assuming what is behind bond_dev->ml_priv.
If it assumes a device it access is CAN then it should check the
device by comparing the netdev_ops or via some other means.
This restriction seems arbitrary.
