From: Florian Westphal <fw@strlen.de>
To: Hangyu Hua <hbh25y@gmail.com>
Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
davejwatson@fb.com, aviadye@mellanox.com, ilyal@mellanox.com,
sd@queasysnail.net, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
Date: Fri, 24 Feb 2023 13:06:06 +0100 [thread overview]
Message-ID: <20230224120606.GI26596@breakpoint.cc> (raw)
In-Reply-To: <20230224105811.27467-1-hbh25y@gmail.com>
Hangyu Hua <hbh25y@gmail.com> wrote:
> ctx->crypto_send.info is not protected by lock_sock in
> do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
> and do_tls_setsockopt_conf() can cause a NULL point dereference or
> use-after-free read when memcpy.
Its good practice to quote the relevant parts of the splat here.
> Fixes: 3c4d7559159b ("tls: kernel TLS support")
> Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
> ---
> net/tls/tls_main.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> index 3735cb00905d..4956f5149b8e 100644
> --- a/net/tls/tls_main.c
> +++ b/net/tls/tls_main.c
> @@ -374,6 +374,7 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
> }
>
> /* get user crypto info */
> + lock_sock(sk);
> if (tx) {
> crypto_info = &ctx->crypto_send.info;
> cctx = &ctx->tx;
> @@ -381,6 +382,7 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
> crypto_info = &ctx->crypto_recv.info;
> cctx = &ctx->rx;
> }
> + release_sock(sk);
Could you elaborate how this fixes a UAF bug?
AFAIU do_tls_setsockopt_conf uses ctx-> as scratch space, but this means
that getsockopt can see partial states.
If so, can the setsockopt part be changed so that reads only see
consistent states?
next prev parent reply other threads:[~2023-02-24 12:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-24 10:58 [PATCH] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() Hangyu Hua
2023-02-24 12:06 ` Florian Westphal [this message]
2023-02-24 18:55 ` Jakub Kicinski
2023-02-24 20:22 ` Sabrina Dubroca
2023-02-24 21:06 ` Jakub Kicinski
2023-02-24 21:48 ` Sabrina Dubroca
2023-02-24 22:17 ` Jakub Kicinski
2023-02-27 3:26 ` Hangyu Hua
2023-02-27 19:07 ` Jakub Kicinski
2023-02-28 1:48 ` Hangyu Hua
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230224120606.GI26596@breakpoint.cc \
--to=fw@strlen.de \
--cc=aviadye@mellanox.com \
--cc=borisp@nvidia.com \
--cc=davejwatson@fb.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hbh25y@gmail.com \
--cc=ilyal@mellanox.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).