Commit 93171ba6 authored by Oliver Hartkopp's avatar Oliver Hartkopp Committed by Marc Kleine-Budde
Browse files

can: bcm: check timer values before ktime conversion 

Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
when the conversion into ktime multiplies the given value with NSEC_PER_USEC
(1000).

Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2



Add a check for the given tv_usec, so that the value stays below one second.
Additionally limit the tv_sec value to a reasonable value for CAN related
use-cases of 400 days and ensure all values to be positive.

Reported-by: default avatarKyungtae Kim <kt0755@gmail.com>
Tested-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org> # >= 2.6.26
Tested-by: default avatarKyungtae Kim <kt0755@gmail.com>
Acked-by: default avatarAndre Naujoks <nautsch2@gmail.com>
Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
parent 7b12c818

net/can/bcm.c

+27 −0
Original line number Diff line number Diff line
@@ -67,6 +67,9 @@ 
 */

#define MAX_NFRAMES 256



/* limit timers to 400 days for sending/timeouts */

#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)



/* use of last_frames[index].flags */

#define RX_RECV    0x40 /* received data for this element */

#define RX_THR     0x80 /* element not been sent due to throttle feature */
@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv) 
	return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);

}



/* check limitations for timeval provided by user */

static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)

{

	if ((msg_head->ival1.tv_sec < 0) ||

	    (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||

	    (msg_head->ival1.tv_usec < 0) ||

	    (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||

	    (msg_head->ival2.tv_sec < 0) ||

	    (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||

	    (msg_head->ival2.tv_usec < 0) ||

	    (msg_head->ival2.tv_usec >= USEC_PER_SEC))

		return true;



	return false;

}



#define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)

#define OPSIZ sizeof(struct bcm_op)

#define MHSIZ sizeof(struct bcm_msg_head)
@@ -873,6 +892,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, 
	if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)

		return -EINVAL;



	/* check timeval limitations */

	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))

		return -EINVAL;



	/* check the given can_id */

	op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);

	if (op) {
@@ -1053,6 +1076,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, 
	     (!(msg_head->can_id & CAN_RTR_FLAG))))

		return -EINVAL;



	/* check timeval limitations */

	if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))

		return -EINVAL;



	/* check the given can_id */

	op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);

	if (op) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE