[PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
@ 2023-09-09  8:14 Liu Jian
  2023-09-11  9:16 ` Sabrina Dubroca
  2023-09-12  8:00 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Liu Jian @ 2023-09-09  8:14 UTC (permalink / raw)
  To: borisp, john.fastabend, kuba, davem, edumazet, pabeni, vfedorenko,
	sd, netdev
  Cc: liujian56

I got the below warning when do fuzzing test:
BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9

CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G           OE
Hardware name: linux,dummy-virt (DT)
Workqueue: pencrypt_parallel padata_parallel_worker
Call trace:
 dump_backtrace+0x0/0x420
 show_stack+0x34/0x44
 dump_stack+0x1d0/0x248
 __kasan_report+0x138/0x140
 kasan_report+0x44/0x6c
 __asan_load4+0x94/0xd0
 scatterwalk_copychunks+0x320/0x470
 skcipher_next_slow+0x14c/0x290
 skcipher_walk_next+0x2fc/0x480
 skcipher_walk_first+0x9c/0x110
 skcipher_walk_aead_common+0x380/0x440
 skcipher_walk_aead_encrypt+0x54/0x70
 ccm_encrypt+0x13c/0x4d0
 crypto_aead_encrypt+0x7c/0xfc
 pcrypt_aead_enc+0x28/0x84
 padata_parallel_worker+0xd0/0x2dc
 process_one_work+0x49c/0xbdc
 worker_thread+0x124/0x880
 kthread+0x210/0x260
 ret_from_fork+0x10/0x18

This is because the value of rec_seq of tls_crypto_info configured by the
user program is too large, for example, 0xffffffffffffff. In addition, TLS
is asynchronously accelerated. When tls_do_encryption() returns
-EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
skmsg is released before the asynchronous encryption process ends. As a
result, the UAF problem occurs during the asynchronous processing of the
encryption module.

If the operation is asynchronous and the encryption module returns
EINPROGRESS, do not free the record information.

Fixes: 635d93981786 ("net/tls: free record only on encryption error")
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
v1->v2:
  Retain the current EBADMSG error info and add error handling.
 net/tls/tls_sw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 1ed4a611631f..d1fc295b83b5 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -817,7 +817,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
 	psock = sk_psock_get(sk);
 	if (!psock || !policy) {
 		err = tls_push_record(sk, flags, record_type);
-		if (err && sk->sk_err == EBADMSG) {
+		if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
 			*copied -= sk_msg_free(sk, msg);
 			tls_free_open_rec(sk);
 			err = -sk->sk_err;
@@ -846,7 +846,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
 	switch (psock->eval) {
 	case __SK_PASS:
 		err = tls_push_record(sk, flags, record_type);
-		if (err && sk->sk_err == EBADMSG) {
+		if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
 			*copied -= sk_msg_free(sk, msg);
 			tls_free_open_rec(sk);
 			err = -sk->sk_err;
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
  2023-09-09  8:14 [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Liu Jian
@ 2023-09-11  9:16 ` Sabrina Dubroca
  2023-09-12  8:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Sabrina Dubroca @ 2023-09-11  9:16 UTC (permalink / raw)
  To: Liu Jian
  Cc: borisp, john.fastabend, kuba, davem, edumazet, pabeni, vfedorenko,
	netdev

2023-09-09, 16:14:34 +0800, Liu Jian wrote:
> I got the below warning when do fuzzing test:
> BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
> Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
> 
> CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G           OE
> Hardware name: linux,dummy-virt (DT)
> Workqueue: pencrypt_parallel padata_parallel_worker
> Call trace:
>  dump_backtrace+0x0/0x420
>  show_stack+0x34/0x44
>  dump_stack+0x1d0/0x248
>  __kasan_report+0x138/0x140
>  kasan_report+0x44/0x6c
>  __asan_load4+0x94/0xd0
>  scatterwalk_copychunks+0x320/0x470
>  skcipher_next_slow+0x14c/0x290
>  skcipher_walk_next+0x2fc/0x480
>  skcipher_walk_first+0x9c/0x110
>  skcipher_walk_aead_common+0x380/0x440
>  skcipher_walk_aead_encrypt+0x54/0x70
>  ccm_encrypt+0x13c/0x4d0
>  crypto_aead_encrypt+0x7c/0xfc
>  pcrypt_aead_enc+0x28/0x84
>  padata_parallel_worker+0xd0/0x2dc
>  process_one_work+0x49c/0xbdc
>  worker_thread+0x124/0x880
>  kthread+0x210/0x260
>  ret_from_fork+0x10/0x18
> 
> This is because the value of rec_seq of tls_crypto_info configured by the
> user program is too large, for example, 0xffffffffffffff. In addition, TLS
> is asynchronously accelerated. When tls_do_encryption() returns
> -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
> skmsg is released before the asynchronous encryption process ends. As a
> result, the UAF problem occurs during the asynchronous processing of the
> encryption module.
> 
> If the operation is asynchronous and the encryption module returns
> EINPROGRESS, do not free the record information.
> 
> Fixes: 635d93981786 ("net/tls: free record only on encryption error")
> Signed-off-by: Liu Jian <liujian56@huawei.com>

Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

-- 
Sabrina


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
  2023-09-09  8:14 [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Liu Jian
  2023-09-11  9:16 ` Sabrina Dubroca
@ 2023-09-12  8:00 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-09-12  8:00 UTC (permalink / raw)
  To: Liu Jian
  Cc: borisp, john.fastabend, kuba, davem, edumazet, pabeni, vfedorenko,
	sd, netdev

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Sat, 9 Sep 2023 16:14:34 +0800 you wrote:
> I got the below warning when do fuzzing test:
> BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
> Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
> 
> CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G           OE
> Hardware name: linux,dummy-virt (DT)
> Workqueue: pencrypt_parallel padata_parallel_worker
> Call trace:
>  dump_backtrace+0x0/0x420
>  show_stack+0x34/0x44
>  dump_stack+0x1d0/0x248
>  __kasan_report+0x138/0x140
>  kasan_report+0x44/0x6c
>  __asan_load4+0x94/0xd0
>  scatterwalk_copychunks+0x320/0x470
>  skcipher_next_slow+0x14c/0x290
>  skcipher_walk_next+0x2fc/0x480
>  skcipher_walk_first+0x9c/0x110
>  skcipher_walk_aead_common+0x380/0x440
>  skcipher_walk_aead_encrypt+0x54/0x70
>  ccm_encrypt+0x13c/0x4d0
>  crypto_aead_encrypt+0x7c/0xfc
>  pcrypt_aead_enc+0x28/0x84
>  padata_parallel_worker+0xd0/0x2dc
>  process_one_work+0x49c/0xbdc
>  worker_thread+0x124/0x880
>  kthread+0x210/0x260
>  ret_from_fork+0x10/0x18
> 
> [...]

Here is the summary with links:
  - [net,v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
    https://git.kernel.org/netdev/net/c/cfaa80c91f6f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-09-12  8:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-09  8:14 [PATCH net v2] net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() Liu Jian
2023-09-11  9:16 ` Sabrina Dubroca
2023-09-12  8:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).