| From c98e522786c715546bd4e80bda3b65f9a8cc57c5 Mon Sep 17 00:00:00 2001 |
| From: Richard Palethorpe <rpalethorpe@suse.com> |
| Date: Wed, 1 Apr 2020 12:06:39 +0200 |
| Subject: [PATCH] slcan: Don't transmit uninitialized stack data in padding |
| |
| commit b9258a2cece4ec1f020715fe3554bc2e360f6264 upstream. |
| |
| struct can_frame contains some padding which is not explicitly zeroed in |
| slc_bump. This uninitialized data will then be transmitted if the stack |
| initialization hardening feature is not enabled (CONFIG_INIT_STACK_ALL). |
| |
| This commit just zeroes the whole struct including the padding. |
| |
| Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> |
| Fixes: a1044e36e457 ("can: add slcan driver for serial/USB-serial CAN adapters") |
| Reviewed-by: Kees Cook <keescook@chromium.org> |
| Cc: linux-can@vger.kernel.org |
| Cc: netdev@vger.kernel.org |
| Cc: security@kernel.org |
| Cc: wg@grandegger.com |
| Cc: mkl@pengutronix.de |
| Cc: davem@davemloft.net |
| Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c |
| index cf0769ad39cd..901c3ecc55cc 100644 |
| --- a/drivers/net/can/slcan.c |
| +++ b/drivers/net/can/slcan.c |
| @@ -147,7 +147,7 @@ static void slc_bump(struct slcan *sl) |
| u32 tmpid; |
| char *cmd = sl->rbuff; |
| |
| - cf.can_id = 0; |
| + memset(&cf, 0, sizeof(cf)); |
| |
| switch (*cmd) { |
| case 'r': |
| @@ -186,8 +186,6 @@ static void slc_bump(struct slcan *sl) |
| else |
| return; |
| |
| - *(u64 *) (&cf.data) = 0; /* clear payload */ |
| - |
| /* RTR frames may have a dlc > 0 but they never have any data bytes */ |
| if (!(cf.can_id & CAN_RTR_FLAG)) { |
| for (i = 0; i < cf.can_dlc; i++) { |
| -- |
| 2.7.4 |
| |