[PATCH net 5/7] net: tls: fix use-after-free with partial reads and async decrypt

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel•org>
To: davem@davemloft•net
Cc: netdev@vger•kernel.org, edumazet@google•com, pabeni@redhat•com,
	sd@queasysnail•net, vadim.fedorenko@linux•dev,
	Jakub Kicinski <kuba@kernel•org>,
	borisp@nvidia•com, john.fastabend@gmail•com
Subject: [PATCH net 5/7] net: tls: fix use-after-free with partial reads and async decrypt
Date: Tue,  6 Feb 2024 17:18:22 -0800	[thread overview]
Message-ID: <20240207011824.2609030-6-kuba@kernel.org> (raw)
In-Reply-To: <20240207011824.2609030-1-kuba@kernel.org>

From: Sabrina Dubroca <sd@queasysnail•net>

tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.

Fixes: fd31f3996af2 ("tls: rx: decrypt into a fresh skb")
Signed-off-by: Sabrina Dubroca <sd@queasysnail•net>
Signed-off-by: Jakub Kicinski <kuba@kernel•org>
---
This is pretty much Sabrina's patch just addressing my own
feedback, so I'm keeping her as the author.
---
CC: borisp@nvidia•com
CC: john.fastabend@gmail•com
---
 net/tls/tls_sw.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 63bef5666e36..a6eff21ade23 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -63,6 +63,7 @@ struct tls_decrypt_ctx {
 	u8 iv[TLS_MAX_IV_SIZE];
 	u8 aad[TLS_MAX_AAD_SIZE];
 	u8 tail;
+	bool free_sgout;
 	struct scatterlist sg[];
 };
 
@@ -187,7 +188,6 @@ static void tls_decrypt_done(void *data, int err)
 	struct aead_request *aead_req = data;
 	struct crypto_aead *aead = crypto_aead_reqtfm(aead_req);
 	struct scatterlist *sgout = aead_req->dst;
-	struct scatterlist *sgin = aead_req->src;
 	struct tls_sw_context_rx *ctx;
 	struct tls_decrypt_ctx *dctx;
 	struct tls_context *tls_ctx;
@@ -224,7 +224,7 @@ static void tls_decrypt_done(void *data, int err)
 	}
 
 	/* Free the destination pages if skb was not decrypted inplace */
-	if (sgout != sgin) {
+	if (dctx->free_sgout) {
 		/* Skip the first S/G entry as it points to AAD */
 		for_each_sg(sg_next(sgout), sg, UINT_MAX, pages) {
 			if (!sg)
@@ -1583,6 +1583,7 @@ static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov,
 	} else if (out_sg) {
 		memcpy(sgout, out_sg, n_sgout * sizeof(*sgout));
 	}
+	dctx->free_sgout = !!pages;
 
 	/* Prepare and submit AEAD request */
 	err = tls_do_decryption(sk, sgin, sgout, dctx->iv,
-- 
2.43.0

next prev parent reply	other threads:[~2024-02-07  1:19 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-07  1:18 [PATCH net 0/7] net: tls: fix some issues with async encryption Jakub Kicinski
2024-02-07  1:18 ` [PATCH net 1/7] net: tls: factor out tls_*crypt_async_wait() Jakub Kicinski
2024-02-09  9:23   ` Simon Horman
2024-02-10  9:08   ` Sabrina Dubroca
2024-02-07  1:18 ` [PATCH net 2/7] tls: fix race between async notify and socket close Jakub Kicinski
2024-02-09  9:24   ` Simon Horman
2024-02-09  9:47   ` Eric Dumazet
2024-02-10  9:11   ` Sabrina Dubroca
2024-02-07  1:18 ` [PATCH net 3/7] tls: fix race between tx work scheduling " Jakub Kicinski
2024-02-09  9:24   ` Simon Horman
2024-02-10  9:12   ` Sabrina Dubroca
2024-02-07  1:18 ` [PATCH net 4/7] net: tls: handle backlogging of crypto requests Jakub Kicinski
2024-02-09  9:25   ` Simon Horman
2024-02-07  1:18 ` Jakub Kicinski [this message]
2024-02-09  9:25   ` [PATCH net 5/7] net: tls: fix use-after-free with partial reads and async decrypt Simon Horman
2024-02-07  1:18 ` [PATCH net 6/7] selftests: tls: use exact comparison in recv_partial Jakub Kicinski
2024-02-09  9:25   ` Simon Horman
2024-02-07  1:18 ` [PATCH net 7/7] net: tls: fix returned read length with async decrypt Jakub Kicinski
2024-02-09  9:22   ` Simon Horman
2024-02-10  9:02   ` Sabrina Dubroca
2024-02-12 17:11     ` Jakub Kicinski
2024-02-10  9:05 ` [PATCH net 0/7] net: tls: fix some issues with async encryption Sabrina Dubroca
2024-02-10 21:40 ` patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:63bef5666e3 dfblob:a6eff21ade2 )
 OR (
bs:"[PATCH net 5/7] net: tls: fix use-after-free with partial reads and async decrypt" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240207011824.2609030-6-kuba@kernel.org \
    --to=kuba@kernel$(echo .)org \
    --cc=borisp@nvidia$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=edumazet@google$(echo .)com \
    --cc=john.fastabend@gmail$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=pabeni@redhat$(echo .)com \
    --cc=sd@queasysnail$(echo .)net \
    --cc=vadim.fedorenko@linux$(echo .)dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox