Fix CVE-2019-3701 (rhbz 1663729 1663730)
This commit is contained in:
Justin M. Forbes
parent
63d40f4c3a
commit
22a3ba7648
42
CVE-2019-3701.patch
Normal file
42
CVE-2019-3701.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From linux-netdev Thu Jan 03 12:26:34 2019
|
||||||
|
From: Oliver Hartkopp <socketcan () hartkopp ! net>
|
||||||
|
Date: Thu, 03 Jan 2019 12:26:34 +0000
|
||||||
|
To: linux-netdev
|
||||||
|
Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification
|
||||||
|
Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net>
|
||||||
|
X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479
|
||||||
|
|
||||||
|
The CAN frame modification rules allow bitwise logical operations which can
|
||||||
|
be also applied to the can_dlc field. Ensure the manipulation result to
|
||||||
|
maintain the can_dlc boundaries so that the CAN drivers do not accidently
|
||||||
|
write arbitrary content beyond the data registers in the CAN controllers
|
||||||
|
I/O mem when processing can-gw manipulated outgoing frames. When passing these
|
||||||
|
frames to user space this issue did not have any effect to the kernel or any
|
||||||
|
leaked data as we always strictly copy sizeof(struct can_frame) bytes.
|
||||||
|
|
||||||
|
Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||||
|
Reported-by: Marcus Meissner <meissner@suse.de>
|
||||||
|
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||||
|
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
|
||||||
|
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
|
||||||
|
---
|
||||||
|
net/can/gw.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/can/gw.c b/net/can/gw.c
|
||||||
|
index faa3da88a127..9000d9b8a133 100644
|
||||||
|
--- a/net/can/gw.c
|
||||||
|
+++ b/net/can/gw.c
|
||||||
|
@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
|
||||||
|
|
||||||
|
/* check for checksum updates when the CAN frame has been modified */
|
||||||
|
if (modidx) {
|
||||||
|
+ /* ensure DLC boundaries after the different mods */
|
||||||
|
+ if (cf->can_dlc > 8)
|
||||||
|
+ cf->can_dlc = 8;
|
||||||
|
+
|
||||||
|
if (gwj->mod.csumfunc.crc8)
|
||||||
|
(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
@ -601,6 +601,9 @@ Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
|
|||||||
# nvlink failure
|
# nvlink failure
|
||||||
Patch506: 0001-Drop-that-def_bool.patch
|
Patch506: 0001-Drop-that-def_bool.patch
|
||||||
|
|
||||||
|
# CVE-2019-3701 rhbz 1663729 1663730
|
||||||
|
Patch507: CVE-2019-3701.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1872,6 +1875,9 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 09 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||||
|
- Fix CVE-2019-3701 (rhbz 1663729 1663730)
|
||||||
|
|
||||||
* Tue Jan 08 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git1.1
|
* Tue Jan 08 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git1.1
|
||||||
- Linux v5.0-rc1-2-g7b5585136713
|
- Linux v5.0-rc1-2-g7b5585136713
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user