From: Cong Wang <xiyou.wangcong@gmail.com>
To: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: bpf@vger.kernel.org, Boris Pismenny <borisp@nvidia.com>,
John Fastabend <john.fastabend@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Mykola Lysenko <mykolal@fb.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>,
Ihor Solodrai <isolodrai@meta.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf-next v1 1/2] bpf,ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
Date: Thu, 29 May 2025 11:16:11 -0700 [thread overview]
Message-ID: <aDika2FRd4n+VRmZ@pop-os.localdomain> (raw)
In-Reply-To: <20250523131915.19349-2-jiayuan.chen@linux.dev>
On Fri, May 23, 2025 at 09:18:58PM +0800, Jiayuan Chen wrote:
> When sending plaintext data, we initially calculated the corresponding
> ciphertext length. However, if we later reduced the plaintext data length
> via socket policy, we failed to recalculate the ciphertext length.
>
> This results in transmitting buffers containing uninitialized data during
> ciphertext transmission.
>
> This causes uninitialized bytes to be appended after a complete
> "Application Data" packet, leading to errors on the receiving end when
> parsing TLS record.
>
> Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
> Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
> ---
> net/tls/tls_sw.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index fc88e34b7f33..b23a4655be6a 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -872,6 +872,21 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
> delta = msg->sg.size;
> psock->eval = sk_psock_msg_verdict(sk, psock, msg);
> delta -= msg->sg.size;
> +
> + if ((s32)delta > 0) {
> + /* It indicates that we executed bpf_msg_pop_data(),
> + * causing the plaintext data size to decrease.
> + * Therefore the encrypted data size also needs to
> + * correspondingly decrease. We only need to subtract
> + * delta to calculate the new ciphertext length since
> + * ktls does not support block encryption.
> + */
> + if (!WARN_ON_ONCE(!ctx->open_rec)) {
I am wondering if we need to WARN here? Because the code below this
handles it gracefully:
931 bool reset_eval = !ctx->open_rec;
932
933 rec = ctx->open_rec;
934 if (rec) {
935 msg = &rec->msg_plaintext;
936 if (!msg->apply_bytes)
937 reset_eval = true;
938 }
939 if (reset_eval) {
940 psock->eval = __SK_NONE;
941 if (psock->sk_redir) {
942 sock_put(psock->sk_redir);
943 psock->sk_redir = NULL;
944 }
945 }
Thanks for fixing it!
Cong
next prev parent reply other threads:[~2025-05-29 18:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-23 13:18 [PATCH bpf-next v1 0/2] bpf,ktls: Fix data corruption caused by using bpf_msg_pop_data() in ktls Jiayuan Chen
2025-05-23 13:18 ` [PATCH bpf-next v1 1/2] bpf,ktls: Fix data corruption when " Jiayuan Chen
2025-05-28 21:59 ` John Fastabend
2025-05-29 18:16 ` Cong Wang [this message]
2025-06-02 11:04 ` Jiayuan Chen
2025-06-05 14:55 ` John Fastabend
2025-05-23 13:18 ` [PATCH bpf-next v1 2/2] selftests/bpf: Add test to cover ktls with bpf_msg_pop_data Jiayuan Chen
2025-05-28 21:58 ` John Fastabend
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aDika2FRd4n+VRmZ@pop-os.localdomain \
--to=xiyou.wangcong@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=borisp@nvidia.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=isolodrai@meta.com \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).