From: Sabrina Dubroca <sd@queasysnail.net>
To: Liu Jian <liujian56@huawei.com>
Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
vfedorenko@novek.ru, netdev@vger.kernel.org
Subject: Re: [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
Date: Mon, 11 Sep 2023 11:16:49 +0200 [thread overview]
Message-ID: <ZP7bAbz6I8L6Yirp@hog> (raw)
In-Reply-To: <20230909081434.2324940-1-liujian56@huawei.com>
2023-09-09, 16:14:34 +0800, Liu Jian wrote:
> I got the below warning when do fuzzing test:
> BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
> Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
>
> CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE
> Hardware name: linux,dummy-virt (DT)
> Workqueue: pencrypt_parallel padata_parallel_worker
> Call trace:
> dump_backtrace+0x0/0x420
> show_stack+0x34/0x44
> dump_stack+0x1d0/0x248
> __kasan_report+0x138/0x140
> kasan_report+0x44/0x6c
> __asan_load4+0x94/0xd0
> scatterwalk_copychunks+0x320/0x470
> skcipher_next_slow+0x14c/0x290
> skcipher_walk_next+0x2fc/0x480
> skcipher_walk_first+0x9c/0x110
> skcipher_walk_aead_common+0x380/0x440
> skcipher_walk_aead_encrypt+0x54/0x70
> ccm_encrypt+0x13c/0x4d0
> crypto_aead_encrypt+0x7c/0xfc
> pcrypt_aead_enc+0x28/0x84
> padata_parallel_worker+0xd0/0x2dc
> process_one_work+0x49c/0xbdc
> worker_thread+0x124/0x880
> kthread+0x210/0x260
> ret_from_fork+0x10/0x18
>
> This is because the value of rec_seq of tls_crypto_info configured by the
> user program is too large, for example, 0xffffffffffffff. In addition, TLS
> is asynchronously accelerated. When tls_do_encryption() returns
> -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
> skmsg is released before the asynchronous encryption process ends. As a
> result, the UAF problem occurs during the asynchronous processing of the
> encryption module.
>
> If the operation is asynchronous and the encryption module returns
> EINPROGRESS, do not free the record information.
>
> Fixes: 635d93981786 ("net/tls: free record only on encryption error")
> Signed-off-by: Liu Jian <liujian56@huawei.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
next prev parent reply other threads:[~2023-09-11 9:17 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-09 8:14 [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Liu Jian
2023-09-11 9:16 ` Sabrina Dubroca [this message]
2023-09-12 8:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZP7bAbz6I8L6Yirp@hog \
--to=sd@queasysnail.net \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=liujian56@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).