Skip to content

Commit 05d9045

Browse files
thefossguy-ciqthefossguy-ciq
committed
can: bcm: fix warning in bcm_connect/proc_register
jira VULN-36330 cve-prereq CVE-2023-52922 commit-author Oliver Hartkopp <[email protected]> commit deb507f Andrey Konovalov reported an issue with proc_register in bcm.c. As suggested by Cong Wang this patch adds a lock_sock() protection and a check for unsuccessful proc_create_data() in bcm_connect(). Reference: http://marc.info/?l=linux-netdev&m=147732648731237 Reported-by: Andrey Konovalov <[email protected]> Suggested-by: Cong Wang <[email protected]> Signed-off-by: Oliver Hartkopp <[email protected]> Acked-by: Cong Wang <[email protected]> Tested-by: Andrey Konovalov <[email protected]> Cc: linux-stable <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]> (cherry picked from commit deb507f) Signed-off-by: Pratham Patel <[email protected]>
1 parent be03ca1 commit 05d9045

File tree

1 file changed

+23
-9
lines changed

1 file changed

+23
-9
lines changed

net/can/bcm.c

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1499,24 +1499,31 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
14991499
struct sockaddr_can *addr = (struct sockaddr_can *)uaddr;
15001500
struct sock *sk = sock->sk;
15011501
struct bcm_sock *bo = bcm_sk(sk);
1502+
int ret = 0;
15021503

15031504
if (len < sizeof(*addr))
15041505
return -EINVAL;
15051506

1506-
if (bo->bound)
1507-
return -EISCONN;
1507+
lock_sock(sk);
1508+
1509+
if (bo->bound) {
1510+
ret = -EISCONN;
1511+
goto fail;
1512+
}
15081513

15091514
/* bind a device to this socket */
15101515
if (addr->can_ifindex) {
15111516
struct net_device *dev;
15121517

15131518
dev = dev_get_by_index(&init_net, addr->can_ifindex);
1514-
if (!dev)
1515-
return -ENODEV;
1516-
1519+
if (!dev) {
1520+
ret = -ENODEV;
1521+
goto fail;
1522+
}
15171523
if (dev->type != ARPHRD_CAN) {
15181524
dev_put(dev);
1519-
return -ENODEV;
1525+
ret = -ENODEV;
1526+
goto fail;
15201527
}
15211528

15221529
bo->ifindex = dev->ifindex;
@@ -1527,17 +1534,24 @@ static int bcm_connect(struct socket *sock, struct sockaddr *uaddr, int len,
15271534
bo->ifindex = 0;
15281535
}
15291536

1530-
bo->bound = 1;
1531-
15321537
if (proc_dir) {
15331538
/* unique socket address as filename */
15341539
sprintf(bo->procname, "%lu", sock_i_ino(sk));
15351540
bo->bcm_proc_read = proc_create_data(bo->procname, 0644,
15361541
proc_dir,
15371542
&bcm_proc_fops, sk);
1543+
if (!bo->bcm_proc_read) {
1544+
ret = -ENOMEM;
1545+
goto fail;
1546+
}
15381547
}
15391548

1540-
return 0;
1549+
bo->bound = 1;
1550+
1551+
fail:
1552+
release_sock(sk);
1553+
1554+
return ret;
15411555
}
15421556

15431557
static int bcm_recvmsg(struct kiocb *iocb, struct socket *sock,

0 commit comments

Comments
 (0)