From: Olga Kornievskaia <okorniev@redhat.com>
To: chuck.lever@oracle.com, jlayton@kernel.org,
trondmy@hammerspace.com, anna.schumaker@oracle.com, hch@lst.de,
sagi@grimberg.me, kch@nvidia.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
Cc: linux-nfs@vger.kernel.org, linux-nvme@lists.infradead.org,
netdev@vger.kernel.org, kernel-tls-handshake@lists.linux.dev,
neil@brown.name, Dai.Ngo@oracle.com, tom@talpey.com,
hare@suse.de, horms@kernel.org, kbusch@kernel.org
Subject: [PATCH v2 0/4] address tls_alert_recv usage by NFS and NvME
Date: Thu, 31 Jul 2025 14:00:54 -0400 [thread overview]
Message-ID: <20250731180058.4669-1-okorniev@redhat.com> (raw)
v2: patch#3 changed to remove unused recv_cbuf member of nvmet_tcp_cmd
This is a multi-component patch series: NFS client, NFS server,
NvME (target), net.
tls_alert_recv() has been originally written to retrieve TLS alert
payload out of the msg iterator's kvec buffer. Yet, the callers of
tls_alert_recv() have not been careful enough to make sure that
msg has always been initialized with a kvec-backed iterator (ie.,
some times bvec was used). Furthermore, callers didn't account
for the fact that the msg iterator's kvec is advanced by sock_recvmsg
upon filling up the provided space by the copy. All that lead to
the ability to construct a malicious payload that would trigger
badness in tls_alert_recv().
This patch series attempts to address it in a couple of steps.
First, there are patches for each of the current consumers (NFS
server, NFS client, NvME target) of tls_alert_recv to address
an immediate problem which I think should be backported.
Note, patch#3 is NvME patch that had no testing. Compile only patch.
Second, the last patch builds on top of the fixes but changes
tls_alert_recv to force the callers to provide the kvec directly
in hopes that any future users of tls_alert_recv would be more
congnizant of providing location to the actual TLS alert payload.
Again note that nvme changes in patch#4 are compile only.
Olga Kornievskaia (4):
sunrpc: fix handling of server side tls alerts
sunrpc: fix client side handling of tls alerts
nvmet-tcp: fix handling of tls alerts
net/handshake: change tls_alert_recv to receive a kvec
Olga Kornievskaia (4):
sunrpc: fix handling of server side tls alerts
sunrpc: fix client side handling of tls alerts
nvmet-tcp: fix handling of tls alerts
net/handshake: change tls_alert_recv to receive a kvec
drivers/nvme/target/tcp.c | 38 ++++++++++++++------------
include/net/handshake.h | 2 +-
net/handshake/alert.c | 6 ++---
net/sunrpc/svcsock.c | 56 ++++++++++++++++++++++++++++-----------
net/sunrpc/xprtsock.c | 51 ++++++++++++++++++++++++-----------
5 files changed, 101 insertions(+), 52 deletions(-)
--
2.47.1
next reply other threads:[~2025-07-31 18:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-31 18:00 Olga Kornievskaia [this message]
2025-07-31 18:00 ` [PATCH v2 1/4] sunrpc: fix handling of server side tls alerts Olga Kornievskaia
2025-07-31 18:00 ` [PATCH v2 2/4] sunrpc: fix client side handling of " Olga Kornievskaia
2025-07-31 18:00 ` [PATCH v2 3/4] nvmet-tcp: fix " Olga Kornievskaia
2025-09-05 16:10 ` Olga Kornievskaia
2025-07-31 18:00 ` [PATCH v2 4/4] net/handshake: change tls_alert_recv to receive a kvec Olga Kornievskaia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250731180058.4669-1-okorniev@redhat.com \
--to=okorniev@redhat.com \
--cc=Dai.Ngo@oracle.com \
--cc=anna.schumaker@oracle.com \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=horms@kernel.org \
--cc=jlayton@kernel.org \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=kernel-tls-handshake@lists.linux.dev \
--cc=kuba@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=neil@brown.name \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sagi@grimberg.me \
--cc=tom@talpey.com \
--cc=trondmy@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).