[PATCH net 0/2] pull-request: can 2022-01-05

[PATCH net 0/2] pull-request: can 2022-01-05

[Marc Kleine-Budde]

Hello Jakub, hello David,

this is a pull request of 2 patches for net/master.

It consists of 2 patches, both by me. The first one fixes the use of
an uninitialized variable in the gs_usb driver the other one a
skb_over_panic in the ISOTP stack in case of reception of too large
ISOTP messages.

regards,
Marc

---

The following changes since commit 1d5a474240407c38ca8c7484a656ee39f585399c:

  sfc: The RX page_ring is optional (2022-01-04 18:14:21 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can.git tags/linux-can-fixes-for-5.16-20220105

for you to fetch changes up to 5f33a09e769a9da0482f20a6770a342842443776:

  can: isotp: convert struct tpcon::{idx,len} to unsigned int (2022-01-05 21:49:47 +0100)

----------------------------------------------------------------
linux-can-fixes-for-5.16-20220105

----------------------------------------------------------------
Marc Kleine-Budde (2):
      can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
      can: isotp: convert struct tpcon::{idx,len} to unsigned int

 drivers/net/can/usb/gs_usb.c | 3 ++-
 net/can/isotp.c              | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

[PATCH net 1/2] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data

[Marc Kleine-Budde]

The received data contains the channel the received data is associated
with. If the channel number is bigger than the actual number of
channels assume broken or malicious USB device and shut it down.

This fixes the error found by clang:

| drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
|                                     uninitialized whenever 'if' condition is true
|         if (hf->channel >= GS_MAX_INTF)
|             ^~~~~~~~~~~~~~~~~~~~~~~~~~
| drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
|                           hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
|                               ^~~

Link: https://lore.kernel.org/all/20211210091158.408326-1-mkl@pengutronix.de
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/usb/gs_usb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 1b400de00f51..d7ce2c5956f4 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -321,7 +321,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
 
 	/* device reports out of range channel id */
 	if (hf->channel >= GS_MAX_INTF)
-		goto resubmit_urb;
+		goto device_detach;
 
 	dev = usbcan->canch[hf->channel];
 
@@ -406,6 +406,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb)
 
 	/* USB failure take down all interfaces */
 	if (rc == -ENODEV) {
+ device_detach:
 		for (rc = 0; rc < GS_MAX_INTF; rc++) {
 			if (usbcan->canch[rc])
 				netif_device_detach(usbcan->canch[rc]->netdev);

base-commit: 1d5a474240407c38ca8c7484a656ee39f585399c
-- 
2.34.1

[PATCH net 2/2] can: isotp: convert struct tpcon::{idx,len} to unsigned int

[Marc Kleine-Budde]

In isotp_rcv_ff() 32 bit of data received over the network is assigned
to struct tpcon::len. Later in that function the length is checked for
the maximal supported length against MAX_MSG_LENGTH.

As struct tpcon::len is an "int" this check does not work, if the
provided length overflows the "int".

Later on struct tpcon::idx is compared against struct tpcon::len.

To fix this problem this patch converts both struct tpcon::{idx,len}
to unsigned int.

Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Link: https://lore.kernel.org/all/20220105132429.1170627-1-mkl@pengutronix.de
Cc: stable@vger.kernel.org
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Reported-by: syzbot+4c63f36709a642f801c5@syzkaller.appspotmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 net/can/isotp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/can/isotp.c b/net/can/isotp.c
index df6968b28bf4..02cbcb2ecf0d 100644
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -119,8 +119,8 @@ enum {
 };
 
 struct tpcon {
-	int idx;
-	int len;
+	unsigned int idx;
+	unsigned int len;
 	u32 state;
 	u8 bs;
 	u8 sn;
-- 
2.34.1

Re: [PATCH net 1/2] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (master)
by Marc Kleine-Budde <mkl@pengutronix.de>:

On Wed,  5 Jan 2022 21:54:42 +0100 you wrote:
> The received data contains the channel the received data is associated
> with. If the channel number is bigger than the actual number of
> channels assume broken or malicious USB device and shut it down.
> 
> This fixes the error found by clang:
> 
> | drivers/net/can/usb/gs_usb.c:386:6: error: variable 'dev' is used
> |                                     uninitialized whenever 'if' condition is true
> |         if (hf->channel >= GS_MAX_INTF)
> |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
> | drivers/net/can/usb/gs_usb.c:474:10: note: uninitialized use occurs here
> |                           hf, dev->gs_hf_size, gs_usb_receive_bulk_callback,
> |                               ^~~
> 
> [...]

Here is the summary with links:
  - [net,1/2] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
    https://git.kernel.org/netdev/net/c/4a8737ff0687
  - [net,2/2] can: isotp: convert struct tpcon::{idx,len} to unsigned int
    https://git.kernel.org/netdev/net/c/5f33a09e769a

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html