Message ID | 20230404073128.3173900-1-o.rempel@pengutronix.de |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2844455vqo; Tue, 4 Apr 2023 00:47:53 -0700 (PDT) X-Google-Smtp-Source: AKy350ZKAZHleG2LdmvEe+lVd1m2Qhee89MNqdfUbrtSZfytkSCbXcrk8xlkoo+xL8BWWzeVj9d2 X-Received: by 2002:a17:906:3fd0:b0:931:85f8:6d00 with SMTP id k16-20020a1709063fd000b0093185f86d00mr1226715ejj.47.1680594473379; Tue, 04 Apr 2023 00:47:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680594473; cv=none; d=google.com; s=arc-20160816; b=IndIVmLLuM1ZxZv+OLg3SDyi1ieS//0pKrT39ZRSwVrgf9MEuX/LkEiat/czXvTK0B iJ8m0B4qLiTTM3+pgbp8JhmlHMFy6KY3NqDDZ+NhqgzebuS20zih3UgwYyDjt8gcOmTN Pv5m11fQDBFCAt0CrjfOaY72XngSGbMP9xXUSGfQAbQl0wCcLuxjhLnOh6sfFI75pvug akWM/fVG7sI7wxRbHgqR9xntR/YapEztmerlmUKeID+Pos0PxdPTgv2XsJymweZSHOQH hOscOaBM6kuUsm3o3MAC/Ja4ksKZQpfSNpMspKlJrNJId69iY5QSsbZVJenm497kQxix aDhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=vZ1JbATifeJGnJE3aOjuTULPft7hrha4c+jrLk2rsjA=; b=hI2iZw0JbFhfQh0N5hTCaYcvpmwVE9qt2IdeUOxterd1sZikcQIzznm9/9o+DhIFTN /sKvZnoU6WZ0/4dhPMK+rRT39D7hDAmPf8Qo22+ZMadPGfOpIZ7UG7tyb9f01IYwlx/H YCvwdpLlggAQRpciz8XaLsXkUC7tez/T68tTT3RoSXLFfwvvdDGMxOFEcBA1I8Fn2HFR Juj071Ccrvi2X9aU8divBTZpiM7LOegcrcYgbYwYrd77jRJpUz4GlJ0fruq5ZLS3TDv+ Yf3Btna+wO9K2E1sif/w0k2pL5L9bAJq1vpzENF9kVjqP8v7Zoh2z4lvpdUp/Hzx1pyG 1Urw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v20-20020a1709061dd400b008deaca3a01csi34254ejh.221.2023.04.04.00.47.28; Tue, 04 Apr 2023 00:47:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233615AbjDDHbq (ORCPT <rfc822;zwp10758@gmail.com> + 99 others); Tue, 4 Apr 2023 03:31:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233585AbjDDHbp (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 4 Apr 2023 03:31:45 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 988AF10D3 for <linux-kernel@vger.kernel.org>; Tue, 4 Apr 2023 00:31:41 -0700 (PDT) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ore@pengutronix.de>) id 1pjb8g-00088U-N1; Tue, 04 Apr 2023 09:31:34 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from <ore@pengutronix.de>) id 1pjb8c-008rdY-LS; Tue, 04 Apr 2023 09:31:30 +0200 Received: from ore by dude04.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from <ore@pengutronix.de>) id 1pjb8b-00DJgH-LJ; Tue, 04 Apr 2023 09:31:29 +0200 From: Oleksij Rempel <o.rempel@pengutronix.de> To: Robin van der Gracht <robin@protonic.nl>, Oliver Hartkopp <socketcan@hartkopp.net>, Marc Kleine-Budde <mkl@pengutronix.de> Cc: Oleksij Rempel <o.rempel@pengutronix.de>, Shuangpeng Bai <sjb7183@psu.edu>, kernel@pengutronix.de, linux-can@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v1] net: can: j1939: Fix out-of-bounds memory access in j1939_tp_tx_dat_new Date: Tue, 4 Apr 2023 09:31:28 +0200 Message-Id: <20230404073128.3173900-1-o.rempel@pengutronix.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: ore@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1762231030486493069?= X-GMAIL-MSGID: =?utf-8?q?1762231030486493069?= |
Series |
[v1] net: can: j1939: Fix out-of-bounds memory access in j1939_tp_tx_dat_new
|
|
Commit Message
Oleksij Rempel
April 4, 2023, 7:31 a.m. UTC
In the j1939_tp_tx_dat_new function, an out-of-bounds memory access could occur during the memcpy operation if the size of skb->cb is larger than the size of struct j1939_sk_buff_cb. This is because the memcpy operation uses the size of skb->cb, leading to a read beyond the struct j1939_sk_buff_cb. To address this issue, we have updated the memcpy operation to use the size of struct j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the memcpy operation only reads the memory within the bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory access. Additionally, a static_assert has been added to check that the size of skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. This ensures that the skb->cb buffer is large enough to hold the j1939_sk_buff_cb structure. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Reported-by: Shuangpeng Bai <sjb7183@psu.edu> Tested-by: Shuangpeng Bai <sjb7183@psu.edu> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> --- net/can/j1939/transport.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
Comments
On 04.04.2023 09:31:28, Oleksij Rempel wrote: > In the j1939_tp_tx_dat_new function, an out-of-bounds memory access > could occur during the memcpy operation if the size of skb->cb is > larger than the size of struct j1939_sk_buff_cb. This is because the > memcpy operation uses the size of skb->cb, leading to a read beyond > the struct j1939_sk_buff_cb. > > To address this issue, we have updated the memcpy operation to use the > size of struct j1939_sk_buff_cb instead of the size of skb->cb. This > ensures that the memcpy operation only reads the memory within the > bounds of struct j1939_sk_buff_cb, preventing out-of-bounds memory > access. > > Additionally, a static_assert has been added to check that the size of > skb->cb is greater than or equal to the size of struct j1939_sk_buff_cb. > This ensures that the skb->cb buffer is large enough to hold the > j1939_sk_buff_cb structure. > > Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") > Reported-by: Shuangpeng Bai <sjb7183@psu.edu> > Tested-by: Shuangpeng Bai <sjb7183@psu.edu> > Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Applied. regards, Marc
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c index fb92c3609e17..fe3df23a2595 100644 --- a/net/can/j1939/transport.c +++ b/net/can/j1939/transport.c @@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j1939_priv *priv, /* reserve CAN header */ skb_reserve(skb, offsetof(struct can_frame, data)); - memcpy(skb->cb, re_skcb, sizeof(skb->cb)); + /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */ + BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb)); + + memcpy(skb->cb, re_skcb, sizeof(*re_skcb)); skcb = j1939_skb_to_cb(skb); if (swap_src_dst) j1939_skbcb_swap(skcb);