[BACKPORT stable Linux-5.10.y 1/2] can: isotp: prevent race between isotp_bind() and isotp_setsockopt()
Upstream commit 2b17c400aeb44daf041627722581ade527bb3c1d
The fixes tag of the uptream patch points to commit 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") which showed up in Linux 5.11 but the described issue already existed in Linux 5.10.
Norbert Slusarek writes:
A race condition was found in isotp_setsockopt() which allows to change socket options after the socket was bound. For the specific case of SF_BROADCAST support, this might lead to possible use-after-free because can_rx_unregister() is not called.
Checking for the flag under the socket lock in isotp_bind() and taking the lock in isotp_setsockopt() fixes the issue.
Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-16207... Reported-by: Norbert Slusarek nslusarek@gmx.net Signed-off-by: Thadeu Lima de Souza Cascardo cascardo@canonical.com Signed-off-by: Norbert Slusarek nslusarek@gmx.net Acked-by: Oliver Hartkopp socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Oliver Hartkopp socketcan@hartkopp.net --- net/can/isotp.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/can/isotp.c b/net/can/isotp.c index 37db4d232313..3f11d2b314b6 100644 --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -1191,20 +1191,17 @@ static int isotp_getname(struct socket *sock, struct sockaddr *uaddr, int peer) addr->can_addr.tp.tx_id = so->txid;
return ISOTP_MIN_NAMELEN; }
-static int isotp_setsockopt(struct socket *sock, int level, int optname, +static int isotp_setsockopt_locked(struct socket *sock, int level, int optname, sockptr_t optval, unsigned int optlen) { struct sock *sk = sock->sk; struct isotp_sock *so = isotp_sk(sk); int ret = 0;
- if (level != SOL_CAN_ISOTP) - return -EINVAL; - if (so->bound) return -EISCONN;
switch (optname) { case CAN_ISOTP_OPTS: @@ -1275,10 +1272,26 @@ static int isotp_setsockopt(struct socket *sock, int level, int optname, }
return ret; }
+static int isotp_setsockopt(struct socket *sock, int level, int optname, + sockptr_t optval, unsigned int optlen) + +{ + struct sock *sk = sock->sk; + int ret; + + if (level != SOL_CAN_ISOTP) + return -EINVAL; + + lock_sock(sk); + ret = isotp_setsockopt_locked(sock, level, optname, optval, optlen); + release_sock(sk); + return ret; +} + static int isotp_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen) { struct sock *sk = sock->sk; struct isotp_sock *so = isotp_sk(sk);
Upstream commit 921ca574cd382142add8b12d0a7117f495510de5
The patch was intended for 5.10 but missed the merge window by some days. This missing patch continously breaks the backport of stable fixes and is the only missing feature of upstream isotp in Linux 5.10 e.g. for RasPi.
When CAN_ISOTP_SF_BROADCAST is set in the CAN_ISOTP_OPTS flags the CAN_ISOTP socket is switched into functional addressing mode, where only single frame (SF) protocol data units can be send on the specified CAN interface and the given tp.tx_id after bind().
In opposite to normal and extended addressing this socket does not register a CAN-ID for reception which would be needed for a 1-to-1 ISOTP connection with a segmented bi-directional data transfer.
Sending SFs on this socket is therefore a TX-only 'broadcast' operation.
Signed-off-by: Oliver Hartkopp socketcan@hartkopp.net Signed-off-by: Thomas Wagner thwa1@web.de Link: https://lore.kernel.org/r/20201206144731.4609-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de --- include/uapi/linux/can/isotp.h | 2 +- net/can/isotp.c | 50 ++++++++++++++++++++++++---------- 2 files changed, 37 insertions(+), 15 deletions(-)
diff --git a/include/uapi/linux/can/isotp.h b/include/uapi/linux/can/isotp.h index 7793b26aa154..c55935b64ccc 100644 --- a/include/uapi/linux/can/isotp.h +++ b/include/uapi/linux/can/isotp.h @@ -133,11 +133,11 @@ struct can_isotp_ll_options { #define CAN_ISOTP_HALF_DUPLEX 0x040 /* half duplex error state handling */ #define CAN_ISOTP_FORCE_TXSTMIN 0x080 /* ignore stmin from received FC */ #define CAN_ISOTP_FORCE_RXSTMIN 0x100 /* ignore CFs depending on rx stmin */ #define CAN_ISOTP_RX_EXT_ADDR 0x200 /* different rx extended addressing */ #define CAN_ISOTP_WAIT_TX_DONE 0x400 /* wait for tx completion */ - +#define CAN_ISOTP_SF_BROADCAST 0x800 /* 1-to-N functional addressing */
/* default values */
#define CAN_ISOTP_DEFAULT_FLAGS 0 #define CAN_ISOTP_DEFAULT_EXT_ADDRESS 0x00 diff --git a/net/can/isotp.c b/net/can/isotp.c index 3f11d2b314b6..d0581dc6a65f 100644 --- a/net/can/isotp.c +++ b/net/can/isotp.c @@ -886,10 +886,20 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) if (!size || size > MAX_MSG_LENGTH) { err = -EINVAL; goto err_out_drop; }
+ /* take care of a potential SF_DL ESC offset for TX_DL > 8 */ + off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0; + + /* does the given data fit into a single frame for SF_BROADCAST? */ + if ((so->opt.flags & CAN_ISOTP_SF_BROADCAST) && + (size > so->tx.ll_dl - SF_PCI_SZ4 - ae - off)) { + err = -EINVAL; + goto err_out_drop; + } + err = memcpy_from_msg(so->tx.buf, msg, size); if (err < 0) goto err_out_drop;
dev = dev_get_by_index(sock_net(sk), so->ifindex); @@ -913,13 +923,10 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) so->tx.idx = 0;
cf = (struct canfd_frame *)skb->data; skb_put_zero(skb, so->ll.mtu);
- /* take care of a potential SF_DL ESC offset for TX_DL > 8 */ - off = (so->tx.ll_dl > CAN_MAX_DLEN) ? 1 : 0; - /* check for single frame transmission depending on TX_DL */ if (size <= so->tx.ll_dl - SF_PCI_SZ4 - ae - off) { /* The message size generally fits into a SingleFrame - good. * * SF_DL ESC offset optimization: @@ -1055,11 +1062,11 @@ static int isotp_release(struct socket *sock) spin_unlock(&isotp_notifier_lock);
lock_sock(sk);
/* remove current filters & unregister */ - if (so->bound) { + if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) { if (so->ifindex) { struct net_device *dev;
dev = dev_get_by_index(net, so->ifindex); if (dev) { @@ -1095,26 +1102,40 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len) struct net *net = sock_net(sk); int ifindex; struct net_device *dev; int err = 0; int notify_enetdown = 0; + int do_rx_reg = 1;
if (len < ISOTP_MIN_NAMELEN) return -EINVAL;
- if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) - return -EADDRNOTAVAIL; - - if ((addr->can_addr.tp.rx_id | addr->can_addr.tp.tx_id) & - (CAN_ERR_FLAG | CAN_RTR_FLAG)) + if (addr->can_addr.tp.tx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) return -EADDRNOTAVAIL;
if (!addr->can_ifindex) return -ENODEV;
lock_sock(sk);
+ /* do not register frame reception for functional addressing */ + if (so->opt.flags & CAN_ISOTP_SF_BROADCAST) + do_rx_reg = 0; + + /* do not validate rx address for functional addressing */ + if (do_rx_reg) { + if (addr->can_addr.tp.rx_id == addr->can_addr.tp.tx_id) { + err = -EADDRNOTAVAIL; + goto out; + } + + if (addr->can_addr.tp.rx_id & (CAN_ERR_FLAG | CAN_RTR_FLAG)) { + err = -EADDRNOTAVAIL; + goto out; + } + } + if (so->bound && addr->can_ifindex == so->ifindex && addr->can_addr.tp.rx_id == so->rxid && addr->can_addr.tp.tx_id == so->txid) goto out;
@@ -1136,17 +1157,18 @@ static int isotp_bind(struct socket *sock, struct sockaddr *uaddr, int len) if (!(dev->flags & IFF_UP)) notify_enetdown = 1;
ifindex = dev->ifindex;
- can_rx_register(net, dev, addr->can_addr.tp.rx_id, - SINGLE_MASK(addr->can_addr.tp.rx_id), isotp_rcv, sk, - "isotp", sk); + if (do_rx_reg) + can_rx_register(net, dev, addr->can_addr.tp.rx_id, + SINGLE_MASK(addr->can_addr.tp.rx_id), + isotp_rcv, sk, "isotp", sk);
dev_put(dev);
- if (so->bound) { + if (so->bound && do_rx_reg) { /* unregister old filter */ if (so->ifindex) { dev = dev_get_by_index(net, so->ifindex); if (dev) { can_rx_unregister(net, dev, so->rxid, @@ -1355,11 +1377,11 @@ static void isotp_notify(struct isotp_sock *so, unsigned long msg,
switch (msg) { case NETDEV_UNREGISTER: lock_sock(sk); /* remove current filters & unregister */ - if (so->bound) + if (so->bound && (!(so->opt.flags & CAN_ISOTP_SF_BROADCAST))) can_rx_unregister(dev_net(dev), dev, so->rxid, SINGLE_MASK(so->rxid), isotp_rcv, sk);
so->ifindex = 0;
On Wed, Feb 16, 2022 at 07:31:37AM +0100, Oliver Hartkopp wrote:
Upstream commit 921ca574cd382142add8b12d0a7117f495510de5
The patch was intended for 5.10 but missed the merge window by some days. This missing patch continously breaks the backport of stable fixes and is the only missing feature of upstream isotp in Linux 5.10 e.g. for RasPi.
When CAN_ISOTP_SF_BROADCAST is set in the CAN_ISOTP_OPTS flags the CAN_ISOTP socket is switched into functional addressing mode, where only single frame (SF) protocol data units can be send on the specified CAN interface and the given tp.tx_id after bind().
In opposite to normal and extended addressing this socket does not register a CAN-ID for reception which would be needed for a 1-to-1 ISOTP connection with a segmented bi-directional data transfer.
Sending SFs on this socket is therefore a TX-only 'broadcast' operation.
Signed-off-by: Oliver Hartkopp socketcan@hartkopp.net Signed-off-by: Thomas Wagner thwa1@web.de Link: https://lore.kernel.org/r/20201206144731.4609-1-socketcan@hartkopp.net Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de
include/uapi/linux/can/isotp.h | 2 +- net/can/isotp.c | 50 ++++++++++++++++++++++++---------- 2 files changed, 37 insertions(+), 15 deletions(-)
Both now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Oliver Hartkopp