On 1/4/19 10:41 PM, David Miller wrote: > From: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> > Date: Fri, 4 Jan 2019 15:55:26 +0100 > >> From: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> >> >> Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN >> frame modification rule that makes the data length code a higher value than >> the available CAN frame data size. In combination with a configured checksum >> calculation where the result is stored relatively to the end of the data >> (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in >> skb_shared_info) can be rewritten which finally can cause a system crash. >> >> Michael Kubecek suggested to drop frames that have a DLC exceeding the >> available space after the modification process and provided a patch that can >> handle CAN FD frames too. Within this patch we also limit the length for the >> checksum calculations to the maximum of Classic CAN data length (8). >> >> CAN frames that are dropped by these additional checks are counted with the >> CGW_DELETED counter which indicates misconfigurations in can-gw rules. >> >> This fixes CVE-2019-3701. >> >> Reported-by: Muyu Yu <ieatmuttonchuan@xxxxxxxxx> >> Reported-by: Marcus Meissner <meissner@xxxxxxx> >> Suggested-by: Michal Kubecek <mkubecek@xxxxxxx> >> Tested-by: Muyu Yu <ieatmuttonchuan@xxxxxxxxx> >> Tested-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> >> Signed-off-by: Oliver Hartkopp <socketcan@xxxxxxxxxxxx> >> Cc: linux-stable <stable@xxxxxxxxxxxxxxx> # >= v3.2 >> Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx> > > Marc, do you want me to apply this directly to my net tree? No, I'll send a pull request. Thanks, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Industrial Linux Solutions | Phone: +49-231-2826-924 | Vertretung West/Dortmund | Fax: +49-5121-206917-5555 | Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
Attachment:
signature.asc
Description: OpenPGP digital signature
