qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: fix use-after-free on failed backlog decryption 

When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.

The only true async case is when crypto_aead_decrypt returns
 -EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.

Fixes: 859054147318 ("net: tls: handle backlogging of crypto requests")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://lore.kernel.org/r/4755dd8d9bebdefaa19ce1439b833d6199d4364c.1709132643.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

CVE-2024-26800
(backported from commit 13114dc5543069f7b97991e3b79937b6da05f5b0)
[juergh: Adjusted context and 'return err' instead of 'goto exit_free_skb'
 due to missing commits:
 fd31f3996af2 ("tls: rx: decrypt into a fresh skb")
 6bd116c8c654 ("tls: rx: return the decrypted skb via darg")]
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Acked-by: Mehmet Basaran <mehmet.basaran@canonical.com>
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
This commit is contained in:
Sabrina Dubroca 2024-09-05 16:26:00 +02:00 committed by Stefan Bader
parent 81a9adf960
commit 57122c74a0
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
net/tls/tls_sw.c
View File

@ -47,6 +47,7 @@
struct tls_decrypt_arg { struct tls_decrypt_arg {
bool zc; bool zc;
bool async; bool async;
bool async_done;
}; };
noinline void tls_err_abort(struct sock *sk, int err) noinline void tls_err_abort(struct sock *sk, int err)
@ -287,15 +288,18 @@ static int tls_do_decryption(struct sock *sk,
} }
ret = crypto_aead_decrypt(aead_req); ret = crypto_aead_decrypt(aead_req);
if (ret == -EINPROGRESS)
return 0;
if (ret == -EBUSY) { if (ret == -EBUSY) {
ret = tls_decrypt_async_wait(ctx); ret = tls_decrypt_async_wait(ctx);
ret = ret ?: -EINPROGRESS; darg->async_done = true;
} /* all completions have run, we're not doing async anymore */
if (ret == -EINPROGRESS) { darg->async = false;
return 0; return ret;
} else if (darg->async) {
atomic_dec(&ctx->decrypt_pending);
} }
atomic_dec(&ctx->decrypt_pending);
darg->async = false; darg->async = false;
return ret; return ret;
@ -1551,9 +1555,17 @@ fallback_to_reg_recv:
/* Prepare and submit AEAD request */ /* Prepare and submit AEAD request */
err = tls_do_decryption(sk, skb, sgin, sgout, iv, err = tls_do_decryption(sk, skb, sgin, sgout, iv,
data_len, aead_req, darg); data_len, aead_req, darg);
if (err) {
if (darg->async_done)
return err;
}
if (darg->async) if (darg->async)
return 0; return 0;
if (unlikely(darg->async_done))
return 0;
/* Release the pages in case iov was mapped to pages */ /* Release the pages in case iov was mapped to pages */
for (; pages > 0; pages--) for (; pages > 0; pages--)
put_page(sg_page(&sgout[pages])); put_page(sg_page(&sgout[pages]));