From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> Date: Fri, 4 Jan 2019 15:55:26 +0100 > From: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> > > Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN > frame modification rule that makes the data length code a higher value than > the available CAN frame data size. In combination with a configured checksum > calculation where the result is stored relatively to the end of the data > (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in > skb_shared_info) can be rewritten which finally can cause a system crash. > > Michael Kubecek suggested to drop frames that have a DLC exceeding the > available space after the modification process and provided a patch that can > handle CAN FD frames too. Within this patch we also limit the length for the > checksum calculations to the maximum of Classic CAN data length (8). > > CAN frames that are dropped by these additional checks are counted with the > CGW_DELETED counter which indicates misconfigurations in can-gw rules. > > This fixes CVE-2019-3701. > > Reported-by: Muyu Yu <ieatmuttonchuan@xxxxxxxxx> > Reported-by: Marcus Meissner <meissner@xxxxxxx> > Suggested-by: Michal Kubecek <mkubecek@xxxxxxx> > Tested-by: Muyu Yu <ieatmuttonchuan@xxxxxxxxx> > Tested-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> > Signed-off-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> > Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v3.2 > Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> Marc, do you want me to apply this directly to my net tree? Thanks.
