From: Sabrina Dubroca <sd@queasysnail.net>
To: Liu Jian <liujian56@huawei.com>
Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
vfedorenko@novek.ru, netdev@vger.kernel.org
Subject: Re: [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
Date: Mon, 11 Sep 2023 11:16:49 +0200 [thread overview]
Message-ID: <ZP7bAbz6I8L6Yirp@hog> (raw)
In-Reply-To: <20230909081434.2324940-1-liujian56@huawei.com>
2023-09-09, 16:14:34 +0800, Liu Jian wrote:
> I got the below warning when do fuzzing test:
> BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
> Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
>
> CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE
> Hardware name: linux,dummy-virt (DT)
> Workqueue: pencrypt_parallel padata_parallel_worker
> Call trace:
> dump_backtrace+0x0/0x420
> show_stack+0x34/0x44
> dump_stack+0x1d0/0x248
> __kasan_report+0x138/0x140
> kasan_report+0x44/0x6c
> __asan_load4+0x94/0xd0
> scatterwalk_copychunks+0x320/0x470
> skcipher_next_slow+0x14c/0x290
> skcipher_walk_next+0x2fc/0x480
> skcipher_walk_first+0x9c/0x110
> skcipher_walk_aead_common+0x380/0x440
> skcipher_walk_aead_encrypt+0x54/0x70
> ccm_encrypt+0x13c/0x4d0
> crypto_aead_encrypt+0x7c/0xfc
> pcrypt_aead_enc+0x28/0x84
> padata_parallel_worker+0xd0/0x2dc
> process_one_work+0x49c/0xbdc
> worker_thread+0x124/0x880
> kthread+0x210/0x260
> ret_from_fork+0x10/0x18
>
> This is because the value of rec_seq of tls_crypto_info configured by the
> user program is too large, for example, 0xffffffffffffff. In addition, TLS
> is asynchronously accelerated. When tls_do_encryption() returns
> -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
> skmsg is released before the asynchronous encryption process ends. As a
> result, the UAF problem occurs during the asynchronous processing of the
> encryption module.
>
> If the operation is asynchronous and the encryption module returns
> EINPROGRESS, do not free the record information.
>
> Fixes: 635d93981786 ("net/tls: free record only on encryption error")
> Signed-off-by: Liu Jian <liujian56@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2023-09-11 9:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-09 8:14 [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Liu Jian
2023-09-11 9:16 ` Sabrina Dubroca [this message]
2023-09-12 8:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZP7bAbz6I8L6Yirp@hog \
--to=sd@queasysnail.net \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=liujian56@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.