Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow[EOL][EOL]Sending an PF_PACKET allows to bypass the CAN framework logic and to[EOL]directly reach the xmit() function of a CAN driver. The only check[EOL]which is performed by the PF_PACKET framework is to make sure that[EOL]skb->len fits the interface's MTU.[EOL][EOL]Unfortunately, because the mcba_usb driver does not populate its[EOL]net_device_ops->ndo_change_mtu(), it is possible for an attacker to[EOL]configure an invalid MTU by doing, for example:[EOL][EOL]  $ ip link set can0 mtu 9999[EOL][EOL]After doing so, the attacker could open a PF_PACKET socket using the[EOL]ETH_P_CANXL protocol:[EOL][EOL]\tsocket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))[EOL][EOL]to inject a malicious CAN XL frames. For example:[EOL][EOL]\tstruct canxl_frame frame = {[EOL]\t\t.flags = 0xff,[EOL]\t\t.len = 2048,[EOL]\t};[EOL][EOL]The CAN drivers' xmit() function are calling can_dev_dropped_skb() to[EOL]check that the skb is valid, unfortunately under above conditions, the[EOL]malicious packet is able to go through can_dev_dropped_skb() checks:[EOL][EOL]  1. the skb->protocol is set to ETH_P_CANXL which is valid (the[EOL]     function does not check the actual device capabilities).[EOL][EOL]  2. the length is a valid CAN XL length.[EOL][EOL]And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not[EOL]able to correctly handle and will thus misinterpret it as a CAN frame.[EOL][EOL]This can result in a buffer overflow. The driver will consume cf->len[EOL]as-is with no further checks on these lines:[EOL][EOL]\tusb_msg.dlc = cf->len;[EOL][EOL]\tmemcpy(usb_msg.data, cf->data, usb_msg.dlc);[EOL][EOL]Here, cf->len corresponds to the flags field of the CAN XL frame. In[EOL]our previous example, we set canxl_frame->flags to 0xff. Because the[EOL]maximum expected length is 8, a buffer overflow of 247 bytes occurs![EOL][EOL]Populate net_device_ops->ndo_change_mtu() to ensure that the[EOL]interface's MTU can not be set to anything bigger than CAN_MTU. By[EOL]fixing the root cause, this prevents the buffer overflow.