Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  can: gw: fix OOB heap access in cgw_csum_crc8_rel()  cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():      int from = calc_idx(crc8->from_idx, cf->len);     int to   = calc_idx(crc8->to_idx,   cf->len);     int res  = calc_idx(crc8->result_idx, cf->len);      if (from < 0 || to < 0 || res < 0)         return;  However, the loop and the result write then use the raw s8 fields directly instead of the computed variables:      for (i = crc8->from_idx; ...)        /* BUG: raw negative index */     cf->data[crc8->result_idx] = ...;    /* BUG: raw negative index */  With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the start of the canfd_frame on the heap.  The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` correctly throughout; fix cgw_csum_crc8_rel() to match.  Confirmed with KASAN on linux-7.0-rc2:   BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0   Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62  To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.