slcan: Don't transmit uninitialized stack data in padding

CVE-2020-11494 struct can_frame contains some padding which is not explicitly zeroed in slc_bump. This uninitialized data will then be transmitted if the stack initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). This commit just zeroes the whole struct including the padding. Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> Fixes: a1044e36 ("can: add slcan driver for serial/USB-serial CAN adapters") Reviewed-by: Kees Cook <keescook@chromium.org> Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Cc: security@kernel.org Cc: wg@grandegger.com Cc: mkl@pengutronix.de Cc: davem@davemloft.net Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit b9258a2c) Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>

slcan: Don't transmit uninitialized stack data in padding
CVE-2020-11494 struct can_frame contains some padding which is not explicitly zeroed in slc_bump. This uninitialized data will then be transmitted if the stack initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). This commit just zeroes the whole struct including the padding. Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> Fixes: a1044e36 ("can: add slcan driver for serial/USB-serial CAN adapters") Reviewed-by: Kees Cook <keescook@chromium.org> Cc: linux-can@vger.kernel.org Cc: netdev@vger.kernel.org Cc: security@kernel.org Cc: wg@grandegger.com Cc: mkl@pengutronix.de Cc: davem@davemloft.net Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit b9258a2c) Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
4dab2b32 · Richard Palethorpe · Kelsey Skunberg · 72509406 · 4dab2b32
Commit 4dab2b32 authored Apr 08, 2020 by Richard Palethorpe Committed by Kelsey Skunberg Apr 15, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 3 deletions

drivers/net/can/slcan.c drivers/net/can/slcan.c +1 -3

No files found.
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -147,7 +147,7 @@ static void slc_bump(struct slcan *sl)
 	u32 tmpid;
 	char *cmd = sl->rbuff;

-	cf.can_id = 0;
+	memset(&cf, 0, sizeof(cf));

 	switch (*cmd) {
 	case 'r':
@@ -186,8 +186,6 @@ static void slc_bump(struct slcan *sl)
 	else
 		return;

-	*(u64 *) (&cf.data) = 0; /* clear payload */
-
 	/* RTR frames may have a dlc > 0 but they never have any data bytes */
 	if (!(cf.can_id & CAN_RTR_FLAG)) {
 		for (i = 0; i < cf.can_dlc; i++) {