From: Sabrina Dubroca <sd@queasysnail.net>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Ayush Sawal <ayush.sawal@chelsio.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Rohit Maheshwari <rohitm@chelsio.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2][next] cxgb4/ch_ktls: Fix undefined behavior bug in struct chcr_ktls_ofld_ctx_tx
Date: Tue, 3 Oct 2023 18:58:40 +0200 [thread overview]
Message-ID: <ZRxIQF8BHM_woghk@hog> (raw)
In-Reply-To: <ZRvzdlvlbX4+eIln@work>
2023-10-03, 12:56:54 +0200, Gustavo A. R. Silva wrote:
> `struct tls_offload_context_tx` is a flexible structure, which means
> that it contains a flexible-array member at the bottom. This could
> potentially lead to an overwrite of the objects following `base` in
> `struct chcr_ktls_ofld_ctx_tx` at run-time.
>
> Notice that flexible-array member `driver_state` in `struct
> tls_offload_context_tx` can grow up to 16 bytes:
>
> | include/net/tls.h-170:
> | #define TLS_DRIVER_STATE_SIZE_TX 16
>
> | include/net/tls.h-173:
> | #define TLS_OFFLOAD_CONTEXT_SIZE_TX \
> | (sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX)
>
> | net/tls/tls_device.c-1119:
> | offload_ctx = kzalloc(TLS_OFFLOAD_CONTEXT_SIZE_TX, GFP_KERNEL);
>
> Fix this by placing the declaration of object `base` at the end of
> `struct chcr_ktls_ofld_ctx_tx`.
AFAIU, chcr_ktls_ofld_ctx_tx just misuses the extra space allocated by
tls_set_device_offload. There's no bug, but the code is a bit
confusing. I don't think this patch works, since chcr_ktls doesn't
allocate its own memory for chcr_ktls_ofld_ctx_tx.
As part of a series of cleanups that I'll submit soon (hopefully this
week), I updated chcr_ktls to use the driver_state part of
tls_offload_context_tx (instead of the cast in
chcr_get_ktls_tx_context), and then removed the flexarrays from
tls_offload_context_tx and tls_offload_context_rx (since they're
actually a fixed size).
--
Sabrina
prev parent reply other threads:[~2023-10-03 16:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 10:56 [PATCH v2][next] cxgb4/ch_ktls: Fix undefined behavior bug in struct chcr_ktls_ofld_ctx_tx Gustavo A. R. Silva
2023-10-03 16:58 ` Sabrina Dubroca [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRxIQF8BHM_woghk@hog \
--to=sd@queasysnail.net \
--cc=ayush.sawal@chelsio.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gustavoars@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rohitm@chelsio.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.