From patchwork Tue Nov 21 17:31:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1866955 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SZWdL6nwNz1ySS for ; Wed, 22 Nov 2023 04:31:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1r5Uap-0001ZZ-2C; Tue, 21 Nov 2023 17:31:23 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1r5Ual-0001Z4-LU for kernel-team@lists.ubuntu.com; Tue, 21 Nov 2023 17:31:19 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 315A53F68B for ; Tue, 21 Nov 2023 17:31:19 +0000 (UTC) Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-66d026cae6eso45211796d6.3 for ; Tue, 21 Nov 2023 09:31:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700587878; x=1701192678; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YSw/7agnNG3Ox5xTaii69Yxa7gx9l4psz7K38XngohI=; b=RIOTrwpTCNF0w/eH+pgfsMUBmg1kWGj+8aAOHc6FvUX5eMcZFRFTfnXbsAWdw6s+hv RB1PU5cmzdQoxflfAoWD3din7QphJTg4W+z3GCVibVbhneLw7T7/d+I5PLc1p4Os45Xg 2YrcoY3dqjmS7A8a1MPh0BgkcrYbCiIYGUz4gl9niTLrE7ksJ55UBTqIy/IGguaQodaM KbioOflYC9mycVDxsRFvAsAvB9mDCDHJ5qORGTO5kWabD8YfDRrN7lcxbjHWXUl864W4 MK2pjSR48wMaNSnAlD4+9+nnRot0fLzbWvFtX0VikqFjicHeRC94IJxpplAUgARwMIIK BOaA== X-Gm-Message-State: AOJu0YyhE7YZpAe+giLDyh09KlbzOQuvqENW8dREHkONgYM8Wbta/JEa f7bEBZhQ+JbYRs4GFEtppGVpRitu6H78jmZeLjwQI45B/hUIWA9gy3Fs2T4knRwEzqKG9cZWHSm AKhGERJGC67dN/tNm7aTytKYYo8QnvkmlpRlaLOxoHEVWqrUImg== X-Received: by 2002:a05:6214:401c:b0:66d:3474:a93a with SMTP id kd28-20020a056214401c00b0066d3474a93amr14861481qvb.30.1700587877881; Tue, 21 Nov 2023 09:31:17 -0800 (PST) X-Google-Smtp-Source: AGHT+IGlhvnSQRxEYnRQrk6kS6BLEYL49sMjo579I/UF+kz3bWVX4gqvE76K9ZFFomKvIeF7tvnkYA== X-Received: by 2002:a05:6214:401c:b0:66d:3474:a93a with SMTP id kd28-20020a056214401c00b0066d3474a93amr14861458qvb.30.1700587877579; Tue, 21 Nov 2023 09:31:17 -0800 (PST) Received: from smtp.gmail.com (104-218-69-32.dynamic.lnk.ne.allofiber.net. [104.218.69.32]) by smtp.gmail.com with ESMTPSA id u1-20020a0cec81000000b00670a01b4f8dsm4123815qvo.75.2023.11.21.09.31.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 09:31:17 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][PATCH 1/1] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Date: Tue, 21 Nov 2023 11:31:15 -0600 Message-Id: <20231121173115.41839-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231121173115.41839-1-bethany.jamison@canonical.com> References: <20231121173115.41839-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Liu Jian I got the below warning when do fuzzing test: BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470 Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9 CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE Hardware name: linux,dummy-virt (DT) Workqueue: pencrypt_parallel padata_parallel_worker Call trace: dump_backtrace+0x0/0x420 show_stack+0x34/0x44 dump_stack+0x1d0/0x248 __kasan_report+0x138/0x140 kasan_report+0x44/0x6c __asan_load4+0x94/0xd0 scatterwalk_copychunks+0x320/0x470 skcipher_next_slow+0x14c/0x290 skcipher_walk_next+0x2fc/0x480 skcipher_walk_first+0x9c/0x110 skcipher_walk_aead_common+0x380/0x440 skcipher_walk_aead_encrypt+0x54/0x70 ccm_encrypt+0x13c/0x4d0 crypto_aead_encrypt+0x7c/0xfc pcrypt_aead_enc+0x28/0x84 padata_parallel_worker+0xd0/0x2dc process_one_work+0x49c/0xbdc worker_thread+0x124/0x880 kthread+0x210/0x260 ret_from_fork+0x10/0x18 This is because the value of rec_seq of tls_crypto_info configured by the user program is too large, for example, 0xffffffffffffff. In addition, TLS is asynchronously accelerated. When tls_do_encryption() returns -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow, skmsg is released before the asynchronous encryption process ends. As a result, the UAF problem occurs during the asynchronous processing of the encryption module. If the operation is asynchronous and the encryption module returns EINPROGRESS, do not free the record information. Fixes: 635d93981786 ("net/tls: free record only on encryption error") Signed-off-by: Liu Jian Reviewed-by: Sabrina Dubroca Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com Signed-off-by: Paolo Abeni CVE-2023-6176 Signed-off-by: Bethany Jamison --- net/tls/tls_sw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 53f944e6d8ef..e047abc60089 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -817,7 +817,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, psock = sk_psock_get(sk); if (!psock || !policy) { err = tls_push_record(sk, flags, record_type); - if (err && sk->sk_err == EBADMSG) { + if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { *copied -= sk_msg_free(sk, msg); tls_free_open_rec(sk); err = -sk->sk_err; @@ -846,7 +846,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, switch (psock->eval) { case __SK_PASS: err = tls_push_record(sk, flags, record_type); - if (err && sk->sk_err == EBADMSG) { + if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { *copied -= sk_msg_free(sk, msg); tls_free_open_rec(sk); err = -sk->sk_err;