Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e0cfd515 authored by Daniel Jordan's avatar Daniel Jordan Committed by Greg Kroah-Hartman
Browse files

net/tls: Fix flipped sign in tls_err_abort() calls 



commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream.

sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234eb ("tls: RX path for ktls")
Reported-by: default avatar <syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com>
Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 6a18d155

include/net/tls.h

+2 −7
Original line number Diff line number Diff line
@@ -360,6 +360,7 @@ int tls_sk_query(struct sock *sk, int optname, char __user *optval, 
		int __user *optlen);

int tls_sk_attach(struct sock *sk, int optname, char __user *optval,

		  unsigned int optlen);

void tls_err_abort(struct sock *sk, int err);



int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx);

void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx);
@@ -465,12 +466,6 @@ static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk) 
#endif

}



static inline void tls_err_abort(struct sock *sk, int err)

{

	sk->sk_err = err;

	sk->sk_error_report(sk);

}



static inline bool tls_bigint_increment(unsigned char *seq, int len)

{

	int i;
@@ -499,7 +494,7 @@ static inline void tls_advance_record_sn(struct sock *sk, 
					 struct cipher_context *ctx)

{

	if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size))

		tls_err_abort(sk, EBADMSG);

		tls_err_abort(sk, -EBADMSG);



	if (prot->version != TLS_1_3_VERSION)

		tls_bigint_increment(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,

net/tls/tls_sw.c

+13 −4
Original line number Diff line number Diff line
@@ -35,6 +35,7 @@ 
 * SOFTWARE.

 */



#include <linux/bug.h>

#include <linux/sched/signal.h>

#include <linux/module.h>

#include <linux/splice.h>
@@ -43,6 +44,14 @@ 
#include <net/strparser.h>

#include <net/tls.h>



noinline void tls_err_abort(struct sock *sk, int err)

{

	WARN_ON_ONCE(err >= 0);

	/* sk->sk_err should contain a positive error code. */

	sk->sk_err = -err;

	sk->sk_error_report(sk);

}



static int __skb_nsg(struct sk_buff *skb, int offset, int len,

                     unsigned int recursion_level)

{
@@ -416,7 +425,7 @@ int tls_tx_records(struct sock *sk, int flags) 


tx_err:

	if (rc < 0 && rc != -EAGAIN)

		tls_err_abort(sk, EBADMSG);

		tls_err_abort(sk, -EBADMSG);



	return rc;

}
@@ -761,7 +770,7 @@ static int tls_push_record(struct sock *sk, int flags, 
			       msg_pl->sg.size + prot->tail_size, i);

	if (rc < 0) {

		if (rc != -EINPROGRESS) {

			tls_err_abort(sk, EBADMSG);

			tls_err_abort(sk, -EBADMSG);

			if (split) {

				tls_ctx->pending_open_record_frags = true;

				tls_merge_open_record(sk, rec, tmp, orig_end);
@@ -1822,7 +1831,7 @@ int tls_sw_recvmsg(struct sock *sk, 
		err = decrypt_skb_update(sk, skb, &msg->msg_iter,

					 &chunk, &zc, async_capable);

		if (err < 0 && err != -EINPROGRESS) {

			tls_err_abort(sk, EBADMSG);

			tls_err_abort(sk, -EBADMSG);

			goto recv_end;

		}
@@ -2002,7 +2011,7 @@ ssize_t tls_sw_splice_read(struct socket *sock, loff_t *ppos, 
		}



		if (err < 0) {

			tls_err_abort(sk, EBADMSG);

			tls_err_abort(sk, -EBADMSG);

			goto splice_read_end;

		}

		ctx->decrypted = true;