From: Oliver Hartkopp <socketcan@hartkopp.net>
To: Vincent Mailhol <mailhol.vincent@wanadoo.fr>,
Marc Kleine-Budde <mkl@pengutronix.de>,
linux-can@vger.kernel.org
Cc: kernel@pengutronix.de, "Stéphane Grosjean" <s.grosjean@peak-system.com>
Subject: Re: [net-rfc 04/16] can: dev: can_get_len(): add a helper function to get the correct length of Classical frames
Date: Tue, 20 Oct 2020 19:04:04 +0200 [thread overview]
Message-ID: <a9605011-2674-dc73-111c-8ebf724a13ac@hartkopp.net> (raw)
In-Reply-To: <20201020160739.104686-1-mailhol.vincent@wanadoo.fr>
On 20.10.20 18:07, Vincent Mailhol wrote:
> I also did the test. I can send a CAN with a DLC of 13 on one
> controller and the other ones correctly received a frame of 8 bytes
> with a DLC of 13.
o_O
You see me perplexed ...
> After, I am not saying that absolutely all the controllers will allow
> DLC greater than 8. I would not be surprised to see some controllers
> attempting to do some sanitization (which would violate the ISO) and
> maybe you did your testing on such controllers. Only thing I can tell
> is that all the controllers I studied allowed it (I can give more
> examples upon request).
I believe you.
> As for security testing, I worked as a security consultant in the
> automotive industry for the last three years and with our colleagues,
> we witnessed some ECUs that would completely stop responding after
> receiving some DLCs greater than 8 due to some buffer overflow. This
> is a real thing which can be found in production, I think it would be
> great to be able to test that using socket CAN.
Yes. That's a valid use-case. Many people are testing CAN setups based
on SocketCAN. So getting every aspect of CAN available is needed to be
able to provide a real OSS solution.
> Some professional tools such as the CAN testing suite of Defensics by
> Synopsys also include these kind of tests. Because Socket CAN does not
> support this, Synopsys actually recommends to use the proprietary
> drivers from the Peak controller which do allow this (unfortunately,
> the Defensics documentation is not available publicly so I can not
> give you a link to support my claim on that last example).
Stephane from PEAK is working on the Linux driver (Mainline Linux & PEAK
chardev), so I put him on CC. Or are you referring to the Windows driver?
> I hope that I could highlight in this answer that I am more than just
> a hobbyist who got exited after ready the ISO and that I know this
> subject. What I explain here is well known in the niche community of
> automotive security researcher but outside of it I just think that
> people are not aware of it.
Well I have done a lot in automotive CAN security too - with message
authentication and with CAN IDS - but this DLC thing was still new to me ...
From a first thought I would see a new flag CAN_CTRLMODE_RAW_DLC in the
netlink interface of IFLA_CAN_CTRLMODE for the CAN controller driver.
This could switch the sanitizing AND the CAN controller can properly
expose its ability to support this mode.
I think I have to pick a beer and look at some code ... :-)
Best regards,
Oliver
next prev parent reply other threads:[~2020-10-20 17:04 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 19:05 [RFC]: can 2020-10-19 Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 01/16] can: proc: can_remove_proc(): silence remove_proc_entry warning Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 02/16] can: rx-offload: don't call kfree_skb() from IRQ context Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 03/16] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard " Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 04/16] can: dev: can_get_len(): add a helper function to get the correct length of Classical frames Marc Kleine-Budde
2020-10-19 20:35 ` Oliver Hartkopp
2020-10-20 6:35 ` Marc Kleine-Budde
2020-10-20 11:30 ` Vincent Mailhol
2020-10-20 11:48 ` Marc Kleine-Budde
2020-10-20 12:38 ` Oliver Hartkopp
2020-10-20 15:02 ` Marc Kleine-Budde
2020-10-20 16:07 ` Vincent Mailhol
2020-10-20 17:04 ` Oliver Hartkopp [this message]
2020-10-20 18:50 ` Marc Kleine-Budde
2020-10-21 0:52 ` Vincent Mailhol
2020-10-21 6:23 ` Vincent MAILHOL
2020-10-21 7:11 ` Joakim Zhang
2020-10-21 7:21 ` Marc Kleine-Budde
2020-10-21 7:48 ` Joakim Zhang
2020-10-21 9:21 ` Oliver Hartkopp
2020-10-21 9:48 ` Oliver Hartkopp
2020-10-21 11:55 ` Vincent MAILHOL
2020-10-21 17:52 ` Oliver Hartkopp
2020-10-22 3:30 ` Vincent MAILHOL
2020-10-22 7:15 ` Oliver Hartkopp
2020-10-22 12:23 ` Vincent MAILHOL
2020-10-22 13:28 ` Oliver Hartkopp
2020-10-22 15:46 ` Vincent MAILHOL
2020-10-22 17:06 ` Oliver Hartkopp
2020-10-23 10:36 ` Vincent MAILHOL
2020-10-23 16:47 ` Oliver Hartkopp
2020-10-24 5:25 ` Vincent MAILHOL
2020-10-24 11:31 ` Oliver Hartkopp
2020-10-19 19:05 ` [net-rfc 05/16] can: dev: __can_get_echo_skb(): fix the returned length of CAN frame Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 06/16] can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 07/16] can: j1939: j1939_sk_bind(): return failure if netdev is down Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 08/16] can: isotp: Explain PDU in CAN_ISOTP help text Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 09/16] can: isotp: enable RX timeout handling in listen-only mode Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 10/16] can: ti_hecc: add missed clk_disable_unprepare() in error path Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 11/16] can: xilinx_can: handle failure cases of pm_runtime_get_sync Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 12/16] can: peak_usb: fix timestamp wrapping Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 13/16] can: peak_canfd: fix echo management when loopback is on Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 14/16] can: mcp251xfd: mcp251xfd_regmap_crc_read(): increase severity of CRC read error messages Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 15/16] can: mcp251xfd: mcp251xfd_regmap_nocrc_read(): fix semicolon.cocci warnings Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 16/16] can: mcp251xfd: remove unneeded break Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9605011-2674-dc73-111c-8ebf724a13ac@hartkopp.net \
--to=socketcan@hartkopp.net \
--cc=kernel@pengutronix.de \
--cc=linux-can@vger.kernel.org \
--cc=mailhol.vincent@wanadoo.fr \
--cc=mkl@pengutronix.de \
--cc=s.grosjean@peak-system.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).