Commit 1ae06987 authored by Hangyu Hua's avatar Hangyu Hua Committed by Jialin Zhang
Browse files

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() 

mainline inclusion
from mainline-v6.3-rc2
commit 49c47cc2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NIUR
CVE: CVE-2023-28466

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962

---------------------------

ctx->crypto_send.info is not protected by lock_sock in
do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
or null-deref.

More discussion:  https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/



Fixes: 3c4d7559 ("tls: kernel TLS support")
Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>

Conflicts:
	net/tls/tls_main.c
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent ecc035e5

net/tls/tls_main.c

+5 −8
Original line number Diff line number Diff line
@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, 
			rc = -EINVAL;

			goto out;

		}

		lock_sock(sk);

		memcpy(crypto_info_aes_gcm_128->iv,

		       cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,

		       TLS_CIPHER_AES_GCM_128_IV_SIZE);

		memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,

		       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);

		release_sock(sk);

		if (copy_to_user(optval,

				 crypto_info_aes_gcm_128,

				 sizeof(*crypto_info_aes_gcm_128)))
@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, 
			rc = -EINVAL;

			goto out;

		}

		lock_sock(sk);

		memcpy(crypto_info_aes_gcm_256->iv,

		       cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,

		       TLS_CIPHER_AES_GCM_256_IV_SIZE);

		memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,

		       TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);

		release_sock(sk);

		if (copy_to_user(optval,

				 crypto_info_aes_gcm_256,

				 sizeof(*crypto_info_aes_gcm_256)))
@@ -432,13 +428,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, 
			rc = -EINVAL;

			goto out;

		}

		lock_sock(sk);

		memcpy(sm4_gcm_info->iv,

		       cctx->iv + TLS_CIPHER_SM4_GCM_SALT_SIZE,

		       TLS_CIPHER_SM4_GCM_IV_SIZE);

		memcpy(sm4_gcm_info->rec_seq, cctx->rec_seq,

		       TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE);

		release_sock(sk);

		if (copy_to_user(optval, sm4_gcm_info, sizeof(*sm4_gcm_info)))

			rc = -EFAULT;

		break;
@@ -452,13 +446,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, 
			rc = -EINVAL;

			goto out;

		}

		lock_sock(sk);

		memcpy(sm4_ccm_info->iv,

		       cctx->iv + TLS_CIPHER_SM4_CCM_SALT_SIZE,

		       TLS_CIPHER_SM4_CCM_IV_SIZE);

		memcpy(sm4_ccm_info->rec_seq, cctx->rec_seq,

		       TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE);

		release_sock(sk);

		if (copy_to_user(optval, sm4_ccm_info, sizeof(*sm4_ccm_info)))

			rc = -EFAULT;

		break;
@@ -476,6 +468,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, 
{

	int rc = 0;



	lock_sock(sk);



	switch (optname) {

	case TLS_TX:

	case TLS_RX:
@@ -486,6 +480,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, 
		rc = -ENOPROTOOPT;

		break;

	}



	release_sock(sk);



	return rc;

}