Fix CVE-2019-3701 (rhbz 1663729 1663730)
This commit is contained in:
Justin M. Forbes
parent
a8d556a2a2
commit
d74561968e
2 changed files with 48 additions and 0 deletions
42
CVE-2019-3701.patch
Normal file
42
CVE-2019-3701.patch
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
From linux-netdev Thu Jan 03 12:26:34 2019
|
||||
From: Oliver Hartkopp <socketcan () hartkopp ! net>
|
||||
Date: Thu, 03 Jan 2019 12:26:34 +0000
|
||||
To: linux-netdev
|
||||
Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification
|
||||
Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net>
|
||||
X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479
|
||||
|
||||
The CAN frame modification rules allow bitwise logical operations which can
|
||||
be also applied to the can_dlc field. Ensure the manipulation result to
|
||||
maintain the can_dlc boundaries so that the CAN drivers do not accidently
|
||||
write arbitrary content beyond the data registers in the CAN controllers
|
||||
I/O mem when processing can-gw manipulated outgoing frames. When passing these
|
||||
frames to user space this issue did not have any effect to the kernel or any
|
||||
leaked data as we always strictly copy sizeof(struct can_frame) bytes.
|
||||
|
||||
Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||
Reported-by: Marcus Meissner <meissner@suse.de>
|
||||
Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com>
|
||||
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
|
||||
Cc: linux-stable <stable@vger.kernel.org> # >= v3.2
|
||||
---
|
||||
net/can/gw.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/net/can/gw.c b/net/can/gw.c
|
||||
index faa3da88a127..9000d9b8a133 100644
|
||||
--- a/net/can/gw.c
|
||||
+++ b/net/can/gw.c
|
||||
@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
|
||||
|
||||
/* check for checksum updates when the CAN frame has been modified */
|
||||
if (modidx) {
|
||||
+ /* ensure DLC boundaries after the different mods */
|
||||
+ if (cf->can_dlc > 8)
|
||||
+ cf->can_dlc = 8;
|
||||
+
|
||||
if (gwj->mod.csumfunc.crc8)
|
||||
(*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
|
||||
|
||||
--
|
||||
2.19.2
|
||||
|
|
@ -633,6 +633,9 @@ Patch516: asus-fx503-keyb.patch
|
|||
# rhbz 1661961 patch merged upstream in 4.20
|
||||
Patch517: 0001-Bluetooth-btsdio-Do-not-bind-to-non-removable-BCM434.patch
|
||||
|
||||
# CVE-2019-3701 rhbz 1663729 1663730
|
||||
Patch518: CVE-2019-3701.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1884,6 +1887,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Jan 07 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2019-3701 (rhbz 1663729 1663730)
|
||||
|
||||
* Mon Jan 7 2019 Hans de Goede <hdegoede@redhat.com>
|
||||
- Add patch to fix bluetooth on RPI 3B+ registering twice (rhbz#1661961)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue