]> git.baikalelectronics.ru Git - kernel.git/commit
net/tls: Fix flipped sign in tls_err_abort() calls
authorDaniel Jordan <daniel.m.jordan@oracle.com>
Wed, 27 Oct 2021 21:59:20 +0000 (17:59 -0400)
committerDavid S. Miller <davem@davemloft.net>
Thu, 28 Oct 2021 13:41:20 +0000 (14:41 +0100)
commitda353fac65fede6b8b4cfe207f0d9408e3121105
treeb0a1293ce9b32dbfa05f50091fc24845eed64ada
parenta32f07d21102dd40496724e4416a7e97fc1755d8
net/tls: Fix flipped sign in tls_err_abort() calls

sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234ebb4d1e ("tls: RX path for ktls")
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/tls.h
net/tls/tls_sw.c