From: Marc Kleine-Budde <m...@pengutronix.de> Date: Fri, 4 Jan 2019 15:55:26 +0100
> From: Oliver Hartkopp <socket...@hartkopp.net> > > Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN > frame modification rule that makes the data length code a higher value than > the available CAN frame data size. In combination with a configured checksum > calculation where the result is stored relatively to the end of the data > (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in > skb_shared_info) can be rewritten which finally can cause a system crash. > > Michael Kubecek suggested to drop frames that have a DLC exceeding the > available space after the modification process and provided a patch that can > handle CAN FD frames too. Within this patch we also limit the length for the > checksum calculations to the maximum of Classic CAN data length (8). > > CAN frames that are dropped by these additional checks are counted with the > CGW_DELETED counter which indicates misconfigurations in can-gw rules. > > This fixes CVE-2019-3701. > > Reported-by: Muyu Yu <ieatmuttonch...@gmail.com> > Reported-by: Marcus Meissner <meiss...@suse.de> > Suggested-by: Michal Kubecek <mkube...@suse.cz> > Tested-by: Muyu Yu <ieatmuttonch...@gmail.com> > Tested-by: Oliver Hartkopp <socket...@hartkopp.net> > Signed-off-by: Oliver Hartkopp <socket...@hartkopp.net> > Cc: linux-stable <sta...@vger.kernel.org> # >= v3.2 > Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de> Marc, do you want me to apply this directly to my net tree? Thanks.
