Re: [BUG] KASAN: slab-use-after-free Read in raw_rcv

[Eulgyu Kim]

> >
> > Can you confirm that the below patch fixes the issue?
> >
> > Best regards,
> > Oliver
> >
> > diff --git a/net/can/raw.c b/net/can/raw.c
> > index a26942e78e68..48d1bf297c2c 100644
> > --- a/net/can/raw.c
> > +++ b/net/can/raw.c
> > @@ -697,49 +697,68 @@ static int raw_setsockopt(struct socket *sock, int
> > level, int optname,
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->loopback = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_RECV_OWN_MSGS:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->recv_own_msgs = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_FD_FRAMES:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           /* Enabling CAN XL includes CAN FD */
> > -        if (ro->xl_frames && !flag)
> > +        if (ro->xl_frames && !flag) {
> > +            release_sock(sk);
> > +            rtnl_unlock();
> >               return -EINVAL;
> > +        }
> >
> >           ro->fd_frames = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_XL_FRAMES:
> >           if (optlen != sizeof(flag))
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->xl_frames = !!flag;
> >
> >           /* Enabling CAN XL includes CAN FD */
> >           if (ro->xl_frames)
> >               ro->fd_frames = ro->xl_frames;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       case CAN_RAW_XL_VCID_OPTS:
> >           if (optlen != sizeof(ro->raw_vcid_opts))
> >               return -EINVAL;
> > @@ -758,11 +777,15 @@ static int raw_setsockopt(struct socket *sock, int
> > level, int optname,
> >               return -EINVAL;
> >
> >           if (copy_from_sockptr(&flag, optval, optlen))
> >               return -EFAULT;
> >
> > +        rtnl_lock();
> > +        lock_sock(sk);
> >           ro->join_filters = !!flag;
> > +        release_sock(sk);
> > +        rtnl_unlock();
> >           break;
> >
> >       default:
> >           return -ENOPROTOOPT;
> >       }
> >
> >

Hello,

thanks for your reply.

We have tested the patch, and our reproducer did not trigger any issue.

As this issue was identified via fuzzing and we have limited background,
we find it challenging to provide further verification.

At least for our specific test case, the issue seems to be resolved.

We hope this testing feedback is helpful.

Thank you.

Best Regards,
Eulgyu Kim