From nobody Mon Apr 6 10:46:26 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B56A63E8C60 for ; Thu, 19 Mar 2026 15:48:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773935283; cv=none; b=uof2pL9fm9tyScC6eKYu8DeSkLGUWaMTgBQRIwi7SufzTiSutOSH2xGAPoObnBI4WDc5mIgKZufv71w79G/JH9bJevM7XkmuNyX3HEetJWV68nbFYcIHo6/6wHLxEWt1y2ceBpS93ZRpXtj9uR/gRdDXXr6vRYHg71gEVfeq07I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773935283; c=relaxed/simple; bh=9YjFbyf6MbFbBrwmbwiJ7BVWYB88msn7frDT7JDfMWQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fXyj5GtUE+Z3EZjgDANuGMs3KN5XYLFVawTT8a7IFLwZAB6ZH18BDBWpVSJrVlEohit+HKe1gX2ahoQDcSZUvh6pAfzBkXwX4L2g1smZJWKlZNkvgvq5IeKxy2ZjxR/PI+20xI7aBzxTeeJOEgIk4ZMhV5HKBM054lRwQ0CTOnI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1w3FbI-0002Tj-My; Thu, 19 Mar 2026 16:47:56 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w3FbH-0016Eu-36; Thu, 19 Mar 2026 16:47:55 +0100 Received: from hardanger.blackshift.org (p4ffb2dc6.dip0.t-ipconnect.de [79.251.45.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id A2A145086A0; Thu, 19 Mar 2026 15:47:55 +0000 (UTC) From: Marc Kleine-Budde Date: Thu, 19 Mar 2026 16:47:44 +0100 Subject: [PATCH can v2 1/2] can: gw: fix OOB heap access in cgw_csum_crc8_rel() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de> References: <20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de> In-Reply-To: <20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de> To: Oliver Hartkopp Cc: kernel@pengutronix.de, Ali Norouzi , linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-5154a X-Developer-Signature: v=1; a=openpgp-sha256; l=2541; i=mkl@pengutronix.de; h=from:subject:message-id; bh=Dnr0NMi/jlEaMAJbX4a29xhYmxyc8JMG4yEOKNtVdoU=; b=owGbwMvMwCV2xirl17qZay8xnlZLYsjcI7XSQM7nyNYt6yZ4L/rT6HHSP2ZT4XpLBZaJp69Mu x9befSecEcpC4MYF4OsmCLL0h8nFAUCHUp7XyZMgpnDygQyhIGLUwAmMqOTkWGl6P963mAth5O/ Lr3Vrt0dce2Ace3iYEsd8QuzFdUeabIwMrw9tm1h2YnZDpF5k11ftv1ieL0q8uwPbY6FnQUvXNz i1vEDAA== X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org From: Ali Norouzi cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from =3D calc_idx(crc8->from_idx, cf->len); int to =3D calc_idx(crc8->to_idx, cf->len); int res =3D calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directly instead of the computed variables: for (i =3D crc8->from_idx; ...) /* BUG: raw negative index */ cf->data[crc8->result_idx] =3D ...; /* BUG: raw negative index */ With from_idx =3D to_idx =3D result_idx =3D -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) =3D 0 so the guard passes, but the loop iterates with i =3D -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<=3D 6.19) bytes before the start of the canfd_frame on the heap. The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match. Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames") Cc: stable@vger.kernel.org Reported-by: Ali Norouzi Reviewed-by: Oliver Hartkopp Acked-by: Oliver Hartkopp Signed-off-by: Ali Norouzi Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde --- net/can/gw.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/can/gw.c b/net/can/gw.c index 8ee4d67a07d3..0ec99f68aa45 100644 --- a/net/can/gw.c +++ b/net/can/gw.c @@ -375,10 +375,10 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf, return; =20 if (from <=3D to) { - for (i =3D crc8->from_idx; i <=3D crc8->to_idx; i++) + for (i =3D from; i <=3D to; i++) crc =3D crc8->crctab[crc ^ cf->data[i]]; } else { - for (i =3D crc8->from_idx; i >=3D crc8->to_idx; i--) + for (i =3D from; i >=3D to; i--) crc =3D crc8->crctab[crc ^ cf->data[i]]; } =20 @@ -397,7 +397,7 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf, break; } =20 - cf->data[crc8->result_idx] =3D crc ^ crc8->final_xor_val; + cf->data[res] =3D crc ^ crc8->final_xor_val; } =20 static void cgw_csum_crc8_pos(struct canfd_frame *cf, --=20 2.53.0 From nobody Mon Apr 6 10:46:26 2026 Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0CF93E8C63 for ; Thu, 19 Mar 2026 15:48:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.203.201.7 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773935283; cv=none; b=X344KiKKl1620b4VGlUlhqdYi7cq3l5NaHNZud3B5Sr/AquMg6QJQfzMwcmVKb+/Exp4oIrsU5hPqm+TIfoEAVnY8ykHtpKGSm7MjUpEFMWBNEdQP8Eja5I/FFA4oCsyDWsD1iEPkkMumHGcSSGwmODxW9SXXA0TvdscM+A2vAc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773935283; c=relaxed/simple; bh=DV78igLEdcL3fhU070znmETO6O0WAIAmLjj2wcLCR0I=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Z3lcJ8kdxuZ7CsfjsZciC5pwmaU7pNQQOs/BkF3FEHiBF7zxybDJRq9oZMw2umlei/9yhNSO7yzzaKtxNxO9/spBi/UQ+lzzM67w+qL+Kk7Mp0Gw1+yn4qYExlVC5T9d3SfNsZVI9tZCIpWXpzIbEtpEc1sOE2ssXAZpTPINjCI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de; spf=pass smtp.mailfrom=pengutronix.de; arc=none smtp.client-ip=185.203.201.7 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=pengutronix.de Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1w3FbI-0002Tk-My; Thu, 19 Mar 2026 16:47:56 +0100 Received: from moin.white.stw.pengutronix.de ([2a0a:edc0:0:b01:1d::7b] helo=bjornoya.blackshift.org) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w3FbH-0016Ev-3D; Thu, 19 Mar 2026 16:47:56 +0100 Received: from hardanger.blackshift.org (p4ffb2dc6.dip0.t-ipconnect.de [79.251.45.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: mkl-all@blackshift.org) by smtp.blackshift.org (Postfix) with ESMTPSA id ADD035086A1; Thu, 19 Mar 2026 15:47:55 +0000 (UTC) From: Marc Kleine-Budde Date: Thu, 19 Mar 2026 16:47:45 +0100 Subject: [PATCH can v2 2/2] can: isotp: fix tx.buf use-after-free in isotp_sendmsg() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de> References: <20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de> In-Reply-To: <20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de> To: Oliver Hartkopp Cc: kernel@pengutronix.de, Ali Norouzi , linux-can@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Kleine-Budde , stable@vger.kernel.org X-Mailer: b4 0.15-dev-5154a X-Developer-Signature: v=1; a=openpgp-sha256; l=2479; i=mkl@pengutronix.de; h=from:subject:message-id; bh=EA3DkM8A44pm0XcFOAHKhKSbYfsdLH1qWFdWEtDwxUM=; b=owGbwMvMwCV2xirl17qZay8xnlZLYsjcI7UqdEbBT6Xw09+jCqd927ttgW/LRP9VN1rnl08XN a/4feevYkcpC4MYF4OsmCLL0h8nFAUCHUp7XyZMgpnDygQyhIGLUwAmknqA4X8ot/0LBoMVc9d7 d05NMV68UODC4flq01fMmXTT8sCnH9X7Gf4pq/hpX+44LLfizYdjgh1FtvUFszOX7Nu36d/sbt8 Loaq8AA== X-Developer-Key: i=mkl@pengutronix.de; a=openpgp; fpr=C1400BA0B3989E6FBC7D5B5C2B5EE211C58AEA54 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: mkl@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-kernel@vger.kernel.org From: Oliver Hartkopp isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done. Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size= ") Cc: stable@vger.kernel.org Reported-by: Ali Norouzi Co-developed-by: Ali Norouzi Signed-off-by: Ali Norouzi Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde --- net/can/isotp.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/net/can/isotp.c b/net/can/isotp.c index da3b72e7afcc..2770f43f4951 100644 --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -1248,12 +1248,6 @@ static int isotp_release(struct socket *sock) so->ifindex =3D 0; so->bound =3D 0; =20 - if (so->rx.buf !=3D so->rx.sbuf) - kfree(so->rx.buf); - - if (so->tx.buf !=3D so->tx.sbuf) - kfree(so->tx.buf); - sock_orphan(sk); sock->sk =3D NULL; =20 @@ -1622,6 +1616,21 @@ static int isotp_notifier(struct notifier_block *nb,= unsigned long msg, return NOTIFY_DONE; } =20 +static void isotp_sock_destruct(struct sock *sk) +{ + struct isotp_sock *so =3D isotp_sk(sk); + + /* do the standard CAN sock destruct work */ + can_sock_destruct(sk); + + /* free potential extended PDU buffers */ + if (so->rx.buf !=3D so->rx.sbuf) + kfree(so->rx.buf); + + if (so->tx.buf !=3D so->tx.sbuf) + kfree(so->tx.buf); +} + static int isotp_init(struct sock *sk) { struct isotp_sock *so =3D isotp_sk(sk); @@ -1666,6 +1675,9 @@ static int isotp_init(struct sock *sk) list_add_tail(&so->notifier, &isotp_notifier_list); spin_unlock(&isotp_notifier_lock); =20 + /* re-assign default can_sock_destruct() reference */ + sk->sk_destruct =3D isotp_sock_destruct; + return 0; } =20 --=20 2.53.0