Re: [PATCH v2] can: kvaser_usb: leaf: Fix potential infinite loop in command parsers

From: Jimmy Assarsson
Date: Mon Nov 03 2025 - 03:52:44 EST

Next message: Raviteja Laggyshetty: "[PATCH v5 0/2] Add interconnect support for Kaanapali SoC"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH v2 08/15] dt-bindings: net: mediatek,net: Correct bindings for MT7981"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/29/25 20:06, Seungjin Bae wrote:

Hello Jimmy,

Thank you for trying to reproduce the issue and for the detailed
explanation of the firmware logic.

You are correct that this issue would not occur with the standard Kvaser
firmware. The vulnerability I reported wasn’t found by running code
on an actual Kvaser device.

Instead, I discovered this issue by performing analysis on the driver
code using a symbolic execution tool. This tool demonstrated that
the driver contains a vulnerable code path.

My goal was to show that if a malicious device is connected—one that
sends a specifically crafted packet sequence not normally produced by
the firmware—the driver code will process it incorrectly and cause
the kernel panic.

So regretfully, I don’t have any hardware information yet.

Sorry, I overlooked the title, and assumed this was a problem you had
encountered with a real device.

Patch LGTM and tested OK with actual Kvaser devices:
Reviewed-by: Jimmy Assarsson <extja@xxxxxxxxxx>
Tested-by: Jimmy Assarsson <extja@xxxxxxxxxx>

Thanks!
/jimmy

Thank you for your precious time.

Best,
Seungjin Bae

2025년 10월 29일 (수) 오전 6:53, Jimmy Assarsson <extja@xxxxxxxxxx <mailto:extja@xxxxxxxxxx>>님이 작성:

On 10/26/25 14:26, Jimmy Assarsson wrote:
> Hi Seungjin,
>
> Thanks for fixing this!
> I'll do some testing in the beginning of next week.
> Which Kvaser device did you use when you discovered the problem?
>
> Best regards,
> jimmy

Hi Seungjin,

I've not been able to reproduce this problem, when testing with the
latest firmware on multiple different devices.

If the next command in the firmware packet queue, doesn't fit within the
current endpoint transaction (wMaxPacketSize), the firmware will
terminate the transaction with a zero byte. The driver then interprets
this as a zero-length command, and skip to the next transaction.

The firmware is responsible to insert a "zero termination byte" only
when there is already one or more packets in the current transaction.
Since all commands have even lengths (4,8,10,12,16,20,24,30,32 bytes)
and the wMaxPacketSize is also even (64 bytes or 512 bytes, depending on
the device), I cannot see a situation where the zero termination byte
would be inserted exactly at the wMaxPacketSize boundary.

Can you please provide which Kvaser device and firmware you use:
lsusb -d 0bfd:
ethtool -i can0

Best regards,
jimmy

Next message: Raviteja Laggyshetty: "[PATCH v5 0/2] Add interconnect support for Kaanapali SoC"
Previous message: AngeloGioacchino Del Regno: "Re: [PATCH v2 08/15] dt-bindings: net: mediatek,net: Correct bindings for MT7981"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]