Re: [PATCH] bonding: do not enslave CAN devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Date: Tue, 25 Feb 2020 21:32:41 +0100

> On 1/30/20 2:30 PM, Oliver Hartkopp wrote:
>> Since commit 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
>> device struct can_dev_rcv_lists") the device specific CAN receive filter lists
>> are stored in netdev_priv() and dev->ml_priv points to these filters.
>> 
>> In the bug report Syzkaller enslaved a vxcan1 CAN device and accessed the
>> bonding device with a PF_CAN socket which lead to a crash due to an access of
>> an unhandled bond_dev->ml_priv pointer.
>> 
>> Deny to enslave CAN devices by the bonding driver as the resulting bond_dev
>> pretends to be a CAN device by copying dev->type without really being one.
>> 
>> Reported-by: syzbot+c3ea30e1e2485573f953@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Fixes: 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
>> device struct can_dev_rcv_lists")
>> Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v5.4
>> Signed-off-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx>
> Acked-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
> 
> What's the preferred to upstream this? I could take this via the
> linux-can tree.

What I don't get is why the PF_CAN is blindly dereferencing a device
assuming what is behind bond_dev->ml_priv.

If it assumes a device it access is CAN then it should check the
device by comparing the netdev_ops or via some other means.

This restriction seems arbitrary.



[Index of Archives]     [Automotive Discussions]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]     [CAN Bus]

  Powered by Linux