From: Marc Kleine-Budde <[email protected]> Date: Fri, 4 Jan 2019 15:55:26 +0100
> From: Oliver Hartkopp <[email protected]> > > Muyu Yu provided a POC where user root with CAP_NET_ADMIN can create a CAN > frame modification rule that makes the data length code a higher value than > the available CAN frame data size. In combination with a configured checksum > calculation where the result is stored relatively to the end of the data > (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in > skb_shared_info) can be rewritten which finally can cause a system crash. > > Michael Kubecek suggested to drop frames that have a DLC exceeding the > available space after the modification process and provided a patch that can > handle CAN FD frames too. Within this patch we also limit the length for the > checksum calculations to the maximum of Classic CAN data length (8). > > CAN frames that are dropped by these additional checks are counted with the > CGW_DELETED counter which indicates misconfigurations in can-gw rules. > > This fixes CVE-2019-3701. > > Reported-by: Muyu Yu <[email protected]> > Reported-by: Marcus Meissner <[email protected]> > Suggested-by: Michal Kubecek <[email protected]> > Tested-by: Muyu Yu <[email protected]> > Tested-by: Oliver Hartkopp <[email protected]> > Signed-off-by: Oliver Hartkopp <[email protected]> > Cc: linux-stable <[email protected]> # >= v3.2 > Signed-off-by: Marc Kleine-Budde <[email protected]> Marc, do you want me to apply this directly to my net tree? Thanks.
