diff mbox series

[SRU,M,8/8] net: tls: fix returned read length with async decrypt

Message ID 20240325103300.494141-9-juerg.haefliger@canonical.com
State New
Headers show
Series Fix for CVE-2024-2658{2,3,4,5} | expand

Commit Message

Juerg Haefliger March 25, 2024, 10:33 a.m. UTC 
From: Jakub Kicinski <kuba@kernel.org>

CVE-2024-26582

[ Upstream commit ac437a51ce662364062f704e321227f6728e6adc ]

We double count async, non-zc rx data. The previous fix was
lucky because if we fully zc async_copy_bytes is 0 so we add 0.
Decrypted already has all the bytes we handled, in all cases.
We don't have to adjust anything, delete the erroneous line.

Fixes: 4d42cd6bc2ac ("tls: rx: fix return value for async crypto")
Co-developed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 6a67bf10934c8f78988ebcc583476f3a21b7f848 linux-6.6.y)
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
---
 net/tls/tls_sw.c | 1 -
 1 file changed, 1 deletion(-)
diff mbox series

Patch

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 1a814907adfe..a076e4ee33dc 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2129,7 +2129,6 @@  int tls_sw_recvmsg(struct sock *sk,
 		else
 			err = process_rx_list(ctx, msg, &control, 0,
 					      async_copy_bytes, is_peek);
-		decrypted += max(err, 0);
 	}
 
 	copied += decrypted;