* [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal
@ 2022-03-31 7:04 Ziyang Xuan
2022-04-01 3:20 ` Jakub Kicinski
2022-04-01 11:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Ziyang Xuan @ 2022-03-31 7:04 UTC (permalink / raw)
To: borisp, john.fastabend, daniel, kuba, davem, pabeni, netdev
Cc: vakul.garg, davejwatson, linux-kernel
The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in
tls_set_sw_offload(). The return value of crypto_aead_ivsize()
for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes
memory space will trigger slab-out-of-bounds bug as following:
==================================================================
BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]
Read of size 16 at addr ffff888114e84e60 by task tls/10911
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x5e/0x5db
? decrypt_internal+0x385/0xc40 [tls]
kasan_report+0xab/0x120
? decrypt_internal+0x385/0xc40 [tls]
kasan_check_range+0xf9/0x1e0
memcpy+0x20/0x60
decrypt_internal+0x385/0xc40 [tls]
? tls_get_rec+0x2e0/0x2e0 [tls]
? process_rx_list+0x1a5/0x420 [tls]
? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]
decrypt_skb_update+0x9d/0x400 [tls]
tls_sw_recvmsg+0x3c8/0xb50 [tls]
Allocated by task 10911:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
tls_set_sw_offload+0x2eb/0xa20 [tls]
tls_setsockopt+0x68c/0x700 [tls]
__sys_setsockopt+0xfe/0x1b0
Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size
when memcpy() iv value in TLS_1_3_VERSION scenario.
Fixes: f295b3ae9f59 ("net/tls: Add support of AES128-CCM based ciphers")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
---
v1->v2:
- Remove not-required modification.
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 0024a692f0f8..a8976ef95528 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1496,7 +1496,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
if (prot->version == TLS_1_3_VERSION ||
prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305)
memcpy(iv + iv_offset, tls_ctx->rx.iv,
- crypto_aead_ivsize(ctx->aead_recv));
+ prot->iv_size + prot->salt_size);
else
memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal
2022-03-31 7:04 [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal Ziyang Xuan
@ 2022-04-01 3:20 ` Jakub Kicinski
2022-04-01 11:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Jakub Kicinski @ 2022-04-01 3:20 UTC (permalink / raw)
To: Ziyang Xuan
Cc: borisp, john.fastabend, daniel, davem, pabeni, netdev,
vakul.garg, davejwatson, linux-kernel
On Thu, 31 Mar 2022 15:04:28 +0800 Ziyang Xuan wrote:
> The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in
> tls_set_sw_offload(). The return value of crypto_aead_ivsize()
> for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes
> memory space will trigger slab-out-of-bounds bug as following:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]
> Read of size 16 at addr ffff888114e84e60 by task tls/10911
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Thanks!
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal
2022-03-31 7:04 [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal Ziyang Xuan
2022-04-01 3:20 ` Jakub Kicinski
@ 2022-04-01 11:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-04-01 11:00 UTC (permalink / raw)
To: Ziyang Xuan
Cc: borisp, john.fastabend, daniel, kuba, davem, pabeni, netdev,
vakul.garg, davejwatson, linux-kernel
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 31 Mar 2022 15:04:28 +0800 you wrote:
> The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in
> tls_set_sw_offload(). The return value of crypto_aead_ivsize()
> for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes
> memory space will trigger slab-out-of-bounds bug as following:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]
> Read of size 16 at addr ffff888114e84e60 by task tls/10911
>
> [...]
Here is the summary with links:
- [net,v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal
https://git.kernel.org/netdev/net/c/9381fe8c849c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-01 11:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-31 7:04 [PATCH net v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal Ziyang Xuan
2022-04-01 3:20 ` Jakub Kicinski
2022-04-01 11:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).