Skip to content

Commit 5be648b

Browse files
committed
Merge: CVE-2022-49269 kernel: can: isotp: sanitize CAN ID checks in isotp_bind()
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6513 JIRA: https://issues.redhat.com/browse/RHEL-80832 CVE: CVE-2022-49269 Backport upstream fix for CVE-2022-49269. While at it, backport a few other commits, so that the CVE fix applies cleanly and all commit series are complete. Signed-off-by: Radu Rendec <[email protected]> Approved-by: Brian Masney <[email protected]> Approved-by: Jared Kangas <[email protected]> Approved-by: Eric Chanudet <[email protected]> Approved-by: CKI KWF Bot <[email protected]> Merged-by: Augusto Caringi <[email protected]>
2 parents 9ce455f + b6fcb15 commit 5be648b

File tree

2 files changed

+371
-201
lines changed

2 files changed

+371
-201
lines changed

include/uapi/linux/can/isotp.h

Lines changed: 36 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -124,33 +124,30 @@ struct can_isotp_ll_options {
124124

125125
/* flags for isotp behaviour */
126126

127-
#define CAN_ISOTP_LISTEN_MODE 0x001 /* listen only (do not send FC) */
128-
#define CAN_ISOTP_EXTEND_ADDR 0x002 /* enable extended addressing */
129-
#define CAN_ISOTP_TX_PADDING 0x004 /* enable CAN frame padding tx path */
130-
#define CAN_ISOTP_RX_PADDING 0x008 /* enable CAN frame padding rx path */
131-
#define CAN_ISOTP_CHK_PAD_LEN 0x010 /* check received CAN frame padding */
132-
#define CAN_ISOTP_CHK_PAD_DATA 0x020 /* check received CAN frame padding */
133-
#define CAN_ISOTP_HALF_DUPLEX 0x040 /* half duplex error state handling */
134-
#define CAN_ISOTP_FORCE_TXSTMIN 0x080 /* ignore stmin from received FC */
135-
#define CAN_ISOTP_FORCE_RXSTMIN 0x100 /* ignore CFs depending on rx stmin */
136-
#define CAN_ISOTP_RX_EXT_ADDR 0x200 /* different rx extended addressing */
137-
#define CAN_ISOTP_WAIT_TX_DONE 0x400 /* wait for tx completion */
138-
#define CAN_ISOTP_SF_BROADCAST 0x800 /* 1-to-N functional addressing */
139-
140-
/* default values */
127+
#define CAN_ISOTP_LISTEN_MODE 0x0001 /* listen only (do not send FC) */
128+
#define CAN_ISOTP_EXTEND_ADDR 0x0002 /* enable extended addressing */
129+
#define CAN_ISOTP_TX_PADDING 0x0004 /* enable CAN frame padding tx path */
130+
#define CAN_ISOTP_RX_PADDING 0x0008 /* enable CAN frame padding rx path */
131+
#define CAN_ISOTP_CHK_PAD_LEN 0x0010 /* check received CAN frame padding */
132+
#define CAN_ISOTP_CHK_PAD_DATA 0x0020 /* check received CAN frame padding */
133+
#define CAN_ISOTP_HALF_DUPLEX 0x0040 /* half duplex error state handling */
134+
#define CAN_ISOTP_FORCE_TXSTMIN 0x0080 /* ignore stmin from received FC */
135+
#define CAN_ISOTP_FORCE_RXSTMIN 0x0100 /* ignore CFs depending on rx stmin */
136+
#define CAN_ISOTP_RX_EXT_ADDR 0x0200 /* different rx extended addressing */
137+
#define CAN_ISOTP_WAIT_TX_DONE 0x0400 /* wait for tx completion */
138+
#define CAN_ISOTP_SF_BROADCAST 0x0800 /* 1-to-N functional addressing */
139+
#define CAN_ISOTP_CF_BROADCAST 0x1000 /* 1-to-N transmission w/o FC */
140+
141+
/* protocol machine default values */
141142

142143
#define CAN_ISOTP_DEFAULT_FLAGS 0
143144
#define CAN_ISOTP_DEFAULT_EXT_ADDRESS 0x00
144145
#define CAN_ISOTP_DEFAULT_PAD_CONTENT 0xCC /* prevent bit-stuffing */
145-
#define CAN_ISOTP_DEFAULT_FRAME_TXTIME 0
146+
#define CAN_ISOTP_DEFAULT_FRAME_TXTIME 50000 /* 50 micro seconds */
146147
#define CAN_ISOTP_DEFAULT_RECV_BS 0
147148
#define CAN_ISOTP_DEFAULT_RECV_STMIN 0x00
148149
#define CAN_ISOTP_DEFAULT_RECV_WFTMAX 0
149150

150-
#define CAN_ISOTP_DEFAULT_LL_MTU CAN_MTU
151-
#define CAN_ISOTP_DEFAULT_LL_TX_DL CAN_MAX_DLEN
152-
#define CAN_ISOTP_DEFAULT_LL_TX_FLAGS 0
153-
154151
/*
155152
* Remark on CAN_ISOTP_DEFAULT_RECV_* values:
156153
*
@@ -162,4 +159,24 @@ struct can_isotp_ll_options {
162159
* consistency and copied directly into the flow control (FC) frame.
163160
*/
164161

162+
/* link layer default values => make use of Classical CAN frames */
163+
164+
#define CAN_ISOTP_DEFAULT_LL_MTU CAN_MTU
165+
#define CAN_ISOTP_DEFAULT_LL_TX_DL CAN_MAX_DLEN
166+
#define CAN_ISOTP_DEFAULT_LL_TX_FLAGS 0
167+
168+
/*
169+
* The CAN_ISOTP_DEFAULT_FRAME_TXTIME has become a non-zero value as
170+
* it only makes sense for isotp implementation tests to run without
171+
* a N_As value. As user space applications usually do not set the
172+
* frame_txtime element of struct can_isotp_options the new in-kernel
173+
* default is very likely overwritten with zero when the sockopt()
174+
* CAN_ISOTP_OPTS is invoked.
175+
* To make sure that a N_As value of zero is only set intentional the
176+
* value '0' is now interpreted as 'do not change the current value'.
177+
* When a frame_txtime of zero is required for testing purposes this
178+
* CAN_ISOTP_FRAME_TXTIME_ZERO u32 value has to be set in frame_txtime.
179+
*/
180+
#define CAN_ISOTP_FRAME_TXTIME_ZERO 0xFFFFFFFF
181+
165182
#endif /* !_UAPI_CAN_ISOTP_H */

0 commit comments

Comments
 (0)