Fix CVE-2019-3701 (rhbz 1663729 1663730)
This commit is contained in:
Justin M. Forbes
parent
63d40f4c3a
commit
22a3ba7648
42
CVE-2019-3701.patch
Normal file
42
CVE-2019-3701.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From linux-netdev Thu Jan 03 12:26:34 2019
|
||||
From: Oliver Hartkopp <socketcan () hartkopp ! net>
|
||||
Date: Thu, 03 Jan 2019 12:26:34 +0000
|
||||
To: linux-netdev
|
||||
Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification
|
||||
Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net>
|
||||
X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479
|
||||
|
||||
The CAN frame modification rules allow bitwise logical operations which can
|
||||
be also applied to the can_dlc field. Ensure the manipulation result to
|
||||
maintain the can_dlc boundaries so that the CAN drivers do not accidently
|
||||
write arbitrary content beyond the data registers in the CAN controllers
|
||||
I/O mem when processing can-gw manipulated outgoing frames. When passing these
|
||||
frames to user space this issue did not have any effect to the kernel or any
|
||||
leaked data as we always strictly copy sizeof(struct can_frame) bytes.
|
||||
|
||||
Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||
Reported-by: Marcus Meissner <meissner@suse.de>
|
||||
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
|
||||
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
|
||||
---
|
||||
net/can/gw.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/can/gw.c b/net/can/gw.c
|
||||
index faa3da88a127..9000d9b8a133 100644
|
||||
--- a/net/can/gw.c
|
||||
+++ b/net/can/gw.c
|
||||
@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
|
||||
|
||||
/* check for checksum updates when the CAN frame has been modified */
|
||||
if (modidx) {
|
||||
+ /* ensure DLC boundaries after the different mods */
|
||||
+ if (cf->can_dlc > 8)
|
||||
+ cf->can_dlc = 8;
|
||||
+
|
||||
if (gwj->mod.csumfunc.crc8)
|
||||
(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
|
||||
|
||||
--
|
||||
2.19.2
|
||||
@ -601,6 +601,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
|
||||
# nvlink failure
|
||||
Patch506: 0001-Drop-that-def_bool.patch
|
||||
|
||||
# CVE-2019-3701 rhbz 1663729 1663730
|
||||
Patch507: CVE-2019-3701.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -1872,6 +1875,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Jan 09 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2019-3701 (rhbz 1663729 1663730)
|
||||
|
||||
* Tue Jan 08 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git1.1
|
||||
- Linux v5.0-rc1-2-g7b5585136713
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user