tls: rx: don't store the decryption status in socket context

CVE-2024-26583 [ Upstream commit 7dc59c33d62c4520a119051d4486c214ef5caa23 ] Similar justification to previous change, the information about decryption status belongs in the skb. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Stable-dep-of: f7fa16d49837 ("tls: decrement decrypt_pending if no async completion will be called") Signed-off-by: Sasha Levin <sashal@kernel.org> (backported from commit de0970d258efa793fd1236a362f0838c9c9d2384 linux-5.15.y) [juergh: Minor adjustments due to missing commits: bc76e5bb12 ("net/tls: store decrypted on a single bit") 5c5458ec9d ("net/tls: store async_capable on a single bit")] 8538d29cea ("net/tls: add tracing for device/offload events")] Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com> Acked-by: Manuel Diewald <manuel.diewald@canonical.com> Acked-by: Philip Cox <philip.cox@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2022-04-07 20:38:17 -07:00 · 2022-04-07 20:38:17 -07:00 · 78bf9e8c79
parent 2fea9590fe
commit 78bf9e8c79
4 changed files with 9 additions and 6 deletions
--- a/include/net/strparser.h
+++ b/include/net/strparser.h
@ -68,6 +68,7 @@ struct sk_skb_cb {
 	struct _strp_msg strp;
 	struct tls_msg {
 		u8 control;
+		u8 decrypted;
 	} tls;
 };

--- a/include/net/tls.h
+++ b/include/net/tls.h
@ -171,7 +171,6 @@ struct tls_sw_context_rx {

 	struct sk_buff *recv_pkt;
 	int async_capable;
-	bool decrypted;
 	atomic_t decrypt_pending;
 	/* protect crypto_wait with decrypt_pending*/
 	spinlock_t decrypt_compl_lock;
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@ -848,6 +848,7 @@ int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx,
 			 struct sk_buff *skb, struct strp_msg *rxm)
 {
 	struct tls_offload_context_rx *ctx = tls_offload_ctx_rx(tls_ctx);
+	struct tls_msg *tlm = tls_msg(skb);
 	int is_decrypted = skb->decrypted;
 	int is_encrypted = !is_decrypted;
 	struct sk_buff *skb_iter;
@ -858,7 +859,7 @@ int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx,
 		is_encrypted &= !skb_iter->decrypted;
 	}

-	ctx->sw.decrypted |= is_decrypted;
+	tlm->decrypted |= is_decrypted;

 	if (unlikely(test_bit(TLS_RX_DEV_DEGRADED, &tls_ctx->flags))) {
 		if (likely(is_encrypted || is_decrypted))
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@ -1555,9 +1555,10 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
 	struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
 	struct tls_prot_info *prot = &tls_ctx->prot_info;
 	struct strp_msg *rxm = strp_msg(skb);
+	struct tls_msg *tlm = tls_msg(skb);
 	int pad, err = 0;

-	if (!ctx->decrypted) {
+	if (!tlm->decrypted) {
 		if (tls_ctx->rx_conf == TLS_HW) {
 			err = tls_device_decrypted(sk, tls_ctx, skb, rxm);
 			if (err < 0)
@ -1565,7 +1566,7 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
 		}

 		/* Still not decrypted after tls_device */
-		if (!ctx->decrypted) {
+		if (!tlm->decrypted) {
 			err = decrypt_internal(sk, skb, dest, NULL, chunk, zc,
 					       async);
 			if (err < 0) {
@ -1587,7 +1588,7 @@ static int decrypt_skb_update(struct sock *sk, struct sk_buff *skb,
 		rxm->offset += prot->prepend_size;
 		rxm->full_len -= prot->overhead_size;
 		tls_advance_record_sn(sk, prot, &tls_ctx->rx);
-		ctx->decrypted = true;
+		tlm->decrypted = 1;
 		ctx->saved_data_ready(sk);
 	} else {
 		*zc = false;
@ -2129,8 +2130,9 @@ static void tls_queue(struct strparser *strp, struct sk_buff *skb)
 {
 	struct tls_context *tls_ctx = tls_get_ctx(strp->sk);
 	struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
+	struct tls_msg *tlm = tls_msg(skb);

-	ctx->decrypted = false;
+	tlm->decrypted = 0;

 	ctx->recv_pkt = skb;
 	strp_pause(strp);