Merge patch series "can: fix can-gw Out-of-Bounds Heap R/W and isotp UAF"

marckleinebudde · marckleinebudde · commit cce598ffc6af · 2026-03-19T17:16:03.000+01:00
Marc Kleine-Budde <mkl@pengutronix.de> says: This series is by Ali Norouzi and Oliver Hartkopp fixing a can-gw Out-of-Bounds Heap R/W and can-isotp UAF. Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-0-c45d52c6d2d8@pengutronix.de Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
diff --git a/net/can/gw.c b/net/can/gw.c
@@ -375,10 +375,10 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf,
 		return;
 
 	if (from <= to) {
-		for (i = crc8->from_idx; i <= crc8->to_idx; i++)
+		for (i = from; i <= to; i++)
 			crc = crc8->crctab[crc ^ cf->data[i]];
 	} else {
-		for (i = crc8->from_idx; i >= crc8->to_idx; i--)
+		for (i = from; i >= to; i--)
 			crc = crc8->crctab[crc ^ cf->data[i]];
 	}
 
@@ -397,7 +397,7 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf,
 		break;
 	}
 
-	cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
+	cf->data[res] = crc ^ crc8->final_xor_val;
 }
 
 static void cgw_csum_crc8_pos(struct canfd_frame *cf,
diff --git a/net/can/isotp.c b/net/can/isotp.c
@@ -1248,12 +1248,6 @@ static int isotp_release(struct socket *sock)
 	so->ifindex = 0;
 	so->bound = 0;
 
-	if (so->rx.buf != so->rx.sbuf)
-		kfree(so->rx.buf);
-
-	if (so->tx.buf != so->tx.sbuf)
-		kfree(so->tx.buf);
-
 	sock_orphan(sk);
 	sock->sk = NULL;
 
@@ -1622,6 +1616,21 @@ static int isotp_notifier(struct notifier_block *nb, unsigned long msg,
 	return NOTIFY_DONE;
 }
 
+static void isotp_sock_destruct(struct sock *sk)
+{
+	struct isotp_sock *so = isotp_sk(sk);
+
+	/* do the standard CAN sock destruct work */
+	can_sock_destruct(sk);
+
+	/* free potential extended PDU buffers */
+	if (so->rx.buf != so->rx.sbuf)
+		kfree(so->rx.buf);
+
+	if (so->tx.buf != so->tx.sbuf)
+		kfree(so->tx.buf);
+}
+
 static int isotp_init(struct sock *sk)
 {
 	struct isotp_sock *so = isotp_sk(sk);
@@ -1666,6 +1675,9 @@ static int isotp_init(struct sock *sk)
 	list_add_tail(&so->notifier, &isotp_notifier_list);
 	spin_unlock(&isotp_notifier_lock);
 
+	/* re-assign default can_sock_destruct() reference */
+	sk->sk_destruct = isotp_sock_destruct;
+
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -375,10 +375,10 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf,`
`375`	`375`	`return;`
`376`	`376`
`377`	`377`	`if (from <= to) {`
`378`		`- for (i = crc8->from_idx; i <= crc8->to_idx; i++)`
	`378`	`+ for (i = from; i <= to; i++)`
`379`	`379`	`crc = crc8->crctab[crc ^ cf->data[i]];`
`380`	`380`	`} else {`
`381`		`- for (i = crc8->from_idx; i >= crc8->to_idx; i--)`
	`381`	`+ for (i = from; i >= to; i--)`
`382`	`382`	`crc = crc8->crctab[crc ^ cf->data[i]];`
`383`	`383`	`}`
`384`	`384`
`@@ -397,7 +397,7 @@ static void cgw_csum_crc8_rel(struct canfd_frame *cf,`
`397`	`397`	`break;`
`398`	`398`	`}`
`399`	`399`
`400`		`- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;`
	`400`	`+ cf->data[res] = crc ^ crc8->final_xor_val;`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`static void cgw_csum_crc8_pos(struct canfd_frame *cf,`