* [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y @ 2023-03-23 0:54 Meena Shanmugam 2023-03-23 0:54 ` [PATCH 5.15 1/1] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Meena Shanmugam 2023-03-25 0:42 ` [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Sasha Levin 0 siblings, 2 replies; 3+ messages in thread From: Meena Shanmugam @ 2023-03-23 0:54 UTC (permalink / raw) To: stable; +Cc: gregkh, hbh25y, Meena Shanmugam The commit 49c47cc21b5b (net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()) fixes race condition and use after free. This patch didn't apply cleanly in 5.15 kernel due to the added switch cases in do_tls_getsockopt_conf function. Hangyu Hua (1): net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() net/tls/tls_main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -- 2.40.0.348.gf938b09366-goog ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 5.15 1/1] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() 2023-03-23 0:54 [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Meena Shanmugam @ 2023-03-23 0:54 ` Meena Shanmugam 2023-03-25 0:42 ` [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Sasha Levin 1 sibling, 0 replies; 3+ messages in thread From: Meena Shanmugam @ 2023-03-23 0:54 UTC (permalink / raw) To: stable; +Cc: gregkh, hbh25y, Jakub Kicinski, Meena Shanmugam From: Hangyu Hua <hbh25y@gmail.com> commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream. ctx->crypto_send.info is not protected by lock_sock in do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() and error paths of do_tls_setsockopt_conf() may lead to a use-after-free or null-deref. More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ Fixes: 3c4d7559159b ("tls: kernel TLS support") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Meena Shanmugam <meenashanmugam@google.com> --- net/tls/tls_main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index a947cfb100bd..abd0c4557cb9 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, rc = -EINVAL; goto out; } - lock_sock(sk); memcpy(crypto_info_aes_gcm_128->iv, cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, TLS_CIPHER_AES_GCM_128_IV_SIZE); memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq, TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); - release_sock(sk); if (copy_to_user(optval, crypto_info_aes_gcm_128, sizeof(*crypto_info_aes_gcm_128))) @@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, rc = -EINVAL; goto out; } - lock_sock(sk); memcpy(crypto_info_aes_gcm_256->iv, cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE, TLS_CIPHER_AES_GCM_256_IV_SIZE); memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq, TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); - release_sock(sk); if (copy_to_user(optval, crypto_info_aes_gcm_256, sizeof(*crypto_info_aes_gcm_256))) @@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, { int rc = 0; + lock_sock(sk); + switch (optname) { case TLS_TX: case TLS_RX: @@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, rc = -ENOPROTOOPT; break; } + + release_sock(sk); + return rc; } -- 2.40.0.348.gf938b09366-goog ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y 2023-03-23 0:54 [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Meena Shanmugam 2023-03-23 0:54 ` [PATCH 5.15 1/1] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Meena Shanmugam @ 2023-03-25 0:42 ` Sasha Levin 1 sibling, 0 replies; 3+ messages in thread From: Sasha Levin @ 2023-03-25 0:42 UTC (permalink / raw) To: Meena Shanmugam; +Cc: stable, gregkh, hbh25y On Thu, Mar 23, 2023 at 12:54:39AM +0000, Meena Shanmugam wrote: >The commit 49c47cc21b5b (net: tls: fix possible race condition between >do_tls_getsockopt_conf() and do_tls_setsockopt_conf()) fixes race >condition and use after free. This patch didn't apply cleanly in 5.15 >kernel due to the added switch cases in do_tls_getsockopt_conf function. Queued up (for all branches), thanks! -- Thanks, Sasha ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-25 0:42 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-03-23 0:54 [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Meena Shanmugam 2023-03-23 0:54 ` [PATCH 5.15 1/1] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Meena Shanmugam 2023-03-25 0:42 ` [PATCH 5.15 0/1] Request to cherry-pick 49c47cc21b5b to 5.15.y Sasha Levin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.