From patchwork Tue Nov 21 21:04:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1867038 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SZcMR6Qvgz1yRw for ; Wed, 22 Nov 2023 08:04:51 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1r5Xv9-0005JQ-1h; Tue, 21 Nov 2023 21:04:35 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1r5Xuu-0005II-V2 for kernel-team@lists.ubuntu.com; Tue, 21 Nov 2023 21:04:22 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 361003F129 for ; Tue, 21 Nov 2023 21:04:20 +0000 (UTC) Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-66d0b251a6aso58717416d6.2 for ; Tue, 21 Nov 2023 13:04:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700600659; x=1701205459; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mQ0ubXipxFFNYzqLDv5DgcbMKyBN4iqYS/C+pxvN4HI=; b=Y3vWvb21xgMVRYuHtAV45Z/K2MgO3XlAvrJSLyL3/ZyiZCZ43WzBYjA+yq95+4GMEk fS6KxHIUs/CXR4DJI6Iar1oipNhrYbX2tueYSGsDht7OLH4T/avSkPt0hc7IB68Ay4XA 5izrKsZVs9XMzVuFLEx2OSskCG240wjU7TMSVb+mmZ302/EMTKTPi+TogE6kCECdy+7b QDHYLjcGMoAxyNyJCX3TMoGjSNebVmnlYlqDz5Nkq/fHbiBuTXZ7IPo/YPn0V9jgoK0B /+UoHEM815cogYi/bWKau/ejTSlgQ92mg6mpZSaXoWJ2335XzwBAgayswc/3DQuZgC5t R20Q== X-Gm-Message-State: AOJu0YwA0Zc5kLPBvVdkmsE/iuOMZx9iTUcDBk2FoeMZoH2aITEZMnVo KgdwjZd1x8oQYBDasiJFQuHEkAMGL3+a4E2LwlWdZ+vVFodabwyO81bzV+RtskOGl5iJiSQHbNg zcAWPEkLDwWQPnH8h9ALJMQ/OzUBDvOs3IkOIg0Ksbu6ctc6DUg== X-Received: by 2002:a05:6214:1241:b0:66d:a50a:2c6 with SMTP id r1-20020a056214124100b0066da50a02c6mr238232qvv.63.1700600659017; Tue, 21 Nov 2023 13:04:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IG9FQStbgt0fGc050MntoU41Kw91fI2sbBJ4OR70CbwpgXbpN69tWIkZd+15ogUvZyUaktlqw== X-Received: by 2002:a05:6214:1241:b0:66d:a50a:2c6 with SMTP id r1-20020a056214124100b0066da50a02c6mr238214qvv.63.1700600658760; Tue, 21 Nov 2023 13:04:18 -0800 (PST) Received: from smtp.gmail.com (104-218-69-32.dynamic.lnk.ne.allofiber.net. [104.218.69.32]) by smtp.gmail.com with ESMTPSA id r14-20020a0562140c4e00b00679f5aee64bsm92275qvj.122.2023.11.21.13.04.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 13:04:18 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Lunar][Jammy][PATCH v3 1/1] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Date: Tue, 21 Nov 2023 15:04:16 -0600 Message-Id: <20231121210416.50033-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231121210416.50033-1-bethany.jamison@canonical.com> References: <20231121210416.50033-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Liu Jian I got the below warning when do fuzzing test: BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470 Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9 CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE Hardware name: linux,dummy-virt (DT) Workqueue: pencrypt_parallel padata_parallel_worker Call trace: dump_backtrace+0x0/0x420 show_stack+0x34/0x44 dump_stack+0x1d0/0x248 __kasan_report+0x138/0x140 kasan_report+0x44/0x6c __asan_load4+0x94/0xd0 scatterwalk_copychunks+0x320/0x470 skcipher_next_slow+0x14c/0x290 skcipher_walk_next+0x2fc/0x480 skcipher_walk_first+0x9c/0x110 skcipher_walk_aead_common+0x380/0x440 skcipher_walk_aead_encrypt+0x54/0x70 ccm_encrypt+0x13c/0x4d0 crypto_aead_encrypt+0x7c/0xfc pcrypt_aead_enc+0x28/0x84 padata_parallel_worker+0xd0/0x2dc process_one_work+0x49c/0xbdc worker_thread+0x124/0x880 kthread+0x210/0x260 ret_from_fork+0x10/0x18 This is because the value of rec_seq of tls_crypto_info configured by the user program is too large, for example, 0xffffffffffffff. In addition, TLS is asynchronously accelerated. When tls_do_encryption() returns -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow, skmsg is released before the asynchronous encryption process ends. As a result, the UAF problem occurs during the asynchronous processing of the encryption module. If the operation is asynchronous and the encryption module returns EINPROGRESS, do not free the record information. Fixes: 635d93981786 ("net/tls: free record only on encryption error") Signed-off-by: Liu Jian Reviewed-by: Sabrina Dubroca Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com Signed-off-by: Paolo Abeni (cherry picked from commit cfaa80c91f6f99b9342b6557f0f0e1143e434066) CVE-2023-6176 Signed-off-by: Bethany Jamison --- net/tls/tls_sw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 53f944e6d8ef..e047abc60089 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -817,7 +817,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, psock = sk_psock_get(sk); if (!psock || !policy) { err = tls_push_record(sk, flags, record_type); - if (err && sk->sk_err == EBADMSG) { + if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { *copied -= sk_msg_free(sk, msg); tls_free_open_rec(sk); err = -sk->sk_err; @@ -846,7 +846,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, switch (psock->eval) { case __SK_PASS: err = tls_push_record(sk, flags, record_type); - if (err && sk->sk_err == EBADMSG) { + if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) { *copied -= sk_msg_free(sk, msg); tls_free_open_rec(sk); err = -sk->sk_err;