From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 26/58] tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()
Date: Mon, 20 Jul 2020 17:36:42 +0200 [thread overview]
Message-ID: <20200720152748.455368338@linuxfoundation.org> (raw)
In-Reply-To: <20200720152747.127988571@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6a2febec338df7e7699a52d00b2e1207dcf65b28 ]
MD5 keys are read with RCU protection, and tcp_md5_do_add()
might update in-place a prior key.
Normally, typical RCU updates would allocate a new piece
of memory. In this case only key->key and key->keylen might
be updated, and we do not care if an incoming packet could
see the old key, the new one, or some intermediate value,
since changing the key on a live flow is known to be problematic
anyway.
We only want to make sure that in the case key->keylen
is changed, cpus in tcp_md5_hash_key() wont try to use
uninitialized data, or crash because key->keylen was
read twice to feed sg_init_one() and ahash_request_set_crypt()
Fixes: 9ea88a153001 ("tcp: md5: check md5 signature without socket lock")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 5 ++++-
net/ipv4/tcp_ipv4.c | 3 +++
2 files changed, 7 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3088,9 +3088,12 @@ EXPORT_SYMBOL(tcp_md5_hash_skb_data);
int tcp_md5_hash_key(struct tcp_md5sig_pool *hp, const struct tcp_md5sig_key *key)
{
+ u8 keylen = key->keylen;
struct scatterlist sg;
- sg_init_one(&sg, key->key, key->keylen);
+ smp_rmb(); /* paired with smp_wmb() in tcp_md5_do_add() */
+
+ sg_init_one(&sg, key->key, keylen);
return crypto_hash_update(&hp->md5_desc, &sg, key->keylen);
}
EXPORT_SYMBOL(tcp_md5_hash_key);
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -933,6 +933,9 @@ int tcp_md5_do_add(struct sock *sk, cons
if (key) {
/* Pre-existing entry - just update that one. */
memcpy(key->key, newkey, newkeylen);
+
+ smp_wmb(); /* pairs with smp_rmb() in tcp_md5_hash_key() */
+
key->keylen = newkeylen;
return 0;
}
next prev parent reply other threads:[~2020-07-20 15:38 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-20 15:36 [PATCH 4.4 00/58] 4.4.231-rc1 review Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 01/58] KVM: s390: reduce number of IO pins to 1 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 02/58] spi: spidev: fix a race between spidev_release and spidev_remove Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 03/58] spi: spidev: fix a potential use-after-free in spidev_release() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 04/58] scsi: mptscsih: Fix read sense data size Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 05/58] net: cxgb4: fix return error value in t4_prep_fw Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 06/58] smsc95xx: check return value of smsc95xx_reset Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 07/58] smsc95xx: avoid memory leak in smsc95xx_bind Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 08/58] ALSA: compress: fix partial_drain completion state Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 09/58] arm64: kgdb: Fix single-step exception handling oops Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 10/58] ALSA: opl3: fix infoleak in opl3 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 11/58] ALSA: hda - let hs_mic be picked ahead of hp_mic Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 12/58] ALSA: usb-audio: add quirk for MacroSilicon MS2109 Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 13/58] KVM: x86: bit 8 of non-leaf PDPEs is not reserved Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 14/58] Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 15/58] btrfs: fix fatal extent_buffer readahead vs releasepage race Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 16/58] drm/radeon: fix double free Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 17/58] ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 18/58] ARC: elf: use right ELF_ARCH Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 19/58] bnxt_en: fix NULL dereference in case SR-IOV configuration fails Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 20/58] ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 21/58] l2tp: remove skb_dst_set() from l2tp_xmit_skb() Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 22/58] llc: make sure applications use ARPHRD_ETHER Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 23/58] net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 24/58] genetlink: remove genl_bind Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 25/58] tcp: make sure listeners dont initialize congestion-control state Greg Kroah-Hartman
2020-07-20 15:36 ` Greg Kroah-Hartman [this message]
2020-07-20 15:36 ` [PATCH 4.4 27/58] tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 28/58] tcp: md5: allow changing MD5 keys in all socket states Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 29/58] i2c: eg20t: Load module automatically if ID matches Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 30/58] Revert "usb/ehci-platform: Set PM runtime as active on resume" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 31/58] Revert "usb/xhci-plat: " Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 32/58] Revert "usb/ohci-platform: Fix a warning when hibernating" Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 33/58] usb: gadget: udc: atmel: fix uninitialized read in debug printk Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 34/58] staging: comedi: verify array index is correct before using it Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 35/58] perf stat: Zero all the ena and run array slot stats for interval mode Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 36/58] mtd: rawnand: brcmnand: fix CS0 layout Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 37/58] HID: magicmouse: do not set up autorepeat Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 38/58] usb: core: Add a helper function to check the validity of EP type in URB Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 39/58] ALSA: line6: Perform sanity check for each URB creation Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 40/58] ALSA: usb-audio: Fix race against the error recovery URB submission Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 41/58] USB: c67x00: fix use after free in c67x00_giveback_urb Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 42/58] usb: chipidea: core: add wakeup support for extcon Greg Kroah-Hartman
2020-07-20 15:36 ` [PATCH 4.4 43/58] usb: gadget: function: fix missing spinlock in f_uac1_legacy Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 44/58] USB: serial: iuu_phoenix: fix memory corruption Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 45/58] USB: serial: cypress_m8: enable Simply Automated UPB PIM Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 46/58] USB: serial: ch341: add new Product ID for CH340 Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 47/58] USB: serial: option: add GosunCn GM500 series Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 48/58] USB: serial: option: add Quectel EG95 LTE modem Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 49/58] virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 50/58] fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 51/58] mei: bus: dont clean driver pointer Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 52/58] Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 53/58] uio_pdrv_genirq: fix use without device tree and no interrupt Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 54/58] MIPS: Fix build for LTS kernel caused by backporting lpj adjustment Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 55/58] hwmon: (emc2103) fix unable to change fan pwm1_enable attribute Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 56/58] dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 57/58] misc: atmel-ssc: lock with mutex instead of spinlock Greg Kroah-Hartman
2020-07-20 15:37 ` [PATCH 4.4 58/58] sched/fair: handle case of task_h_load() returning 0 Greg Kroah-Hartman
2020-07-20 23:54 ` [PATCH 4.4 00/58] 4.4.231-rc1 review Shuah Khan
2020-07-21 10:39 ` Naresh Kamboju
2020-07-21 11:57 ` Pavel Machek
[not found] ` <20200720152747.127988571-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-07-21 13:16 ` Thierry Reding
2020-07-21 13:16 ` Thierry Reding
2020-07-21 16:36 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200720152748.455368338@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.