| Message ID | 20191127201646.25455-1-jakub.kicinski@netronome.com |
|---|---|
| Headers | show |
| Series | net: tls: fix scatter-gather list issues | expand |
From: Jakub Kicinski <jakub.kicinski@netronome.com> Date: Wed, 27 Nov 2019 12:16:38 -0800 > This series kicked of by a syzbot report fixes three issues around > scatter gather handling in the TLS code. First patch fixes a use- > -after-free situation which may occur if record was freed on error. > This could have already happened in BPF paths, and patch 2 now makes > the same condition occur in non-BPF code. > > Patch 2 fixes the problem spotted by syzbot. If encryption failed > we have to clean the end markings from scatter gather list. As > suggested by John the patch frees the record entirely and caller > may retry copying data from user space buffer again. > > Third patch fixes a bug in the TLS 1.3 code spotted while working > on patch 2. TLS 1.3 may effectively overflow the SG list which > leads to the BUG() in sg_page() being triggered. > > Patch 4 adds a test case which triggers this bug reliably. > > Next two patches are small cleanups of dead code and code which > makes dangerous assumptions. > > Last but not least two minor improvements to the sockmap tests. ... Series applied and queued up for -stable, thanks Jakub.
Hi! This series kicked of by a syzbot report fixes three issues around scatter gather handling in the TLS code. First patch fixes a use- -after-free situation which may occur if record was freed on error. This could have already happened in BPF paths, and patch 2 now makes the same condition occur in non-BPF code. Patch 2 fixes the problem spotted by syzbot. If encryption failed we have to clean the end markings from scatter gather list. As suggested by John the patch frees the record entirely and caller may retry copying data from user space buffer again. Third patch fixes a bug in the TLS 1.3 code spotted while working on patch 2. TLS 1.3 may effectively overflow the SG list which leads to the BUG() in sg_page() being triggered. Patch 4 adds a test case which triggers this bug reliably. Next two patches are small cleanups of dead code and code which makes dangerous assumptions. Last but not least two minor improvements to the sockmap tests. Tested: - bpf/test_sockmap - net/tls - syzbot repro (which used error injection, hence no direct selftest is added to preserve it). Jakub Kicinski (8): net/tls: take into account that bpf_exec_tx_verdict() may free the record net/tls: free the record on encryption error net: skmsg: fix TLS 1.3 crash with full sk_msg selftests/tls: add a test for fragmented messages net/tls: remove the dead inplace_crypto code net/tls: use sg_next() to walk sg entries selftests: bpf: test_sockmap: handle file creation failures gracefully selftests: bpf: correct perror strings include/linux/skmsg.h | 28 +++++----- include/net/tls.h | 3 +- net/core/filter.c | 8 +-- net/core/skmsg.c | 2 +- net/ipv4/tcp_bpf.c | 2 +- net/tls/tls_main.c | 13 +---- net/tls/tls_sw.c | 32 +++++++----- tools/testing/selftests/bpf/test_sockmap.c | 47 ++++++++++------- tools/testing/selftests/bpf/xdping.c | 2 +- tools/testing/selftests/net/tls.c | 60 ++++++++++++++++++++++ 10 files changed, 131 insertions(+), 66 deletions(-)