From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A41BC43219 for ; Sat, 4 May 2019 10:26:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4ECE32085A for ; Sat, 4 May 2019 10:26:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965590; bh=ls4QDGuqYdGPmgaeQMHr6F52iikuwmWvSQiGIdTpikY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=VV1VIkbbeSIf3EWl4l2FoHjjG5ocd4ag/YoK03675krM6GcCmHXgmX0M260dRlUJK IG7gIE2PkY4AivXp+CzMUp6IHo3Y84mn1IJo45v6HtZCZaVrAjI+6reTDgTuooo/dh gETH81o6/FtZ6ggMst7SvQbpb0v8jTVQNfb1Y6dU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727747AbfEDK03 (ORCPT ); Sat, 4 May 2019 06:26:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:35990 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727710AbfEDK00 (ORCPT ); Sat, 4 May 2019 06:26:26 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D589E2084A; Sat, 4 May 2019 10:26:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965585; bh=ls4QDGuqYdGPmgaeQMHr6F52iikuwmWvSQiGIdTpikY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cxBfpZlT2BAj0LUHRO88Bkx0ucnubtBXmcCEYN2M0oOBLys62loRaqCjXqSR0z0oD UTjdCn8S4m2MeuHsEwqbPb6qb2W9mhM/Y/BWRa7sGC1M9AHkKzc3zdysrMlEzzPiFt aybMAd8CoKsaIqLO6E5jqujmuxlOKwOy6wlS0bdM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jakub Kicinski , John Hurley , "David S. Miller" Subject: [PATCH 5.0 27/32] net/tls: fix copy to fragments in reencrypt Date: Sat, 4 May 2019 12:25:12 +0200 Message-Id: <20190504102453.318811912@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102452.523724210@linuxfoundation.org> References: <20190504102452.523724210@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jakub Kicinski [ Upstream commit eb3d38d5adb520435d4e4af32529ccb13ccc9935 ] Fragments may contain data from other records so we have to account for that when we calculate the destination and max length of copy we can perform. Note that 'offset' is the offset within the message, so it can't be passed as offset within the frag.. Here skb_store_bits() would have realised the call is wrong and simply not copy data. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski Reviewed-by: John Hurley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tls/tls_device.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -579,7 +579,7 @@ void handle_device_resync(struct sock *s static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb) { struct strp_msg *rxm = strp_msg(skb); - int err = 0, offset = rxm->offset, copy, nsg; + int err = 0, offset = rxm->offset, copy, nsg, data_len, pos; struct sk_buff *skb_iter, *unused; struct scatterlist sg[1]; char *orig_buf, *buf; @@ -610,9 +610,10 @@ static int tls_device_reencrypt(struct s else err = 0; + data_len = rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE; + if (skb_pagelen(skb) > offset) { - copy = min_t(int, skb_pagelen(skb) - offset, - rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + copy = min_t(int, skb_pagelen(skb) - offset, data_len); if (skb->decrypted) skb_store_bits(skb, offset, buf, copy); @@ -621,16 +622,30 @@ static int tls_device_reencrypt(struct s buf += copy; } + pos = skb_pagelen(skb); skb_walk_frags(skb, skb_iter) { - copy = min_t(int, skb_iter->len, - rxm->full_len - offset + rxm->offset - - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + int frag_pos; + + /* Practically all frags must belong to msg if reencrypt + * is needed with current strparser and coalescing logic, + * but strparser may "get optimized", so let's be safe. + */ + if (pos + skb_iter->len <= offset) + goto done_with_frag; + if (pos >= data_len + rxm->offset) + break; + + frag_pos = offset - pos; + copy = min_t(int, skb_iter->len - frag_pos, + data_len + rxm->offset - offset); if (skb_iter->decrypted) - skb_store_bits(skb_iter, offset, buf, copy); + skb_store_bits(skb_iter, frag_pos, buf, copy); offset += copy; buf += copy; +done_with_frag: + pos += skb_iter->len; } free_buf: