mbox series

[SRU,M,0/8] Fix for CVE-2024-2658{2,3,4,5}

Message ID 20240325103300.494141-1-juerg.haefliger@canonical.com
Headers show
Series Fix for CVE-2024-2658{2,3,4,5} | expand

Message

Juerg Haefliger March 25, 2024, 10:32 a.m. UTC
This patch series fixes the following CVEs:
CVE-2024-26582
CVE-2024-26583
CVE-2024-26584
CVE-2024-26585

The patches are all cherry-picks from stable v6.6 so should eventually come in
via an Ubuntu stable update.

Test case:
1) Enable async crypto:
   $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
2) Enable TLS function tracing:
   $ echo function_graph > /sys/kernel/tracing/current_tracer
   $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
3) Run TLS kernel selftests from v6.8:
   $ ./linux-6.8/tools/testing/selftests/net/tls
4) Verify:
   - No call traces in the kernel log
   - All modified TLS functions were called
   - No additional unexpected TLS test failures

Note that the above test does *not* verify that the CVEs are actually fixed
but merely tries to ensure that the kernel doesn't blow up when exercising
the modified code paths.

Jakub Kicinski (5):
  net: tls: factor out tls_*crypt_async_wait()
  tls: fix race between async notify and socket close
  tls: fix race between tx work scheduling and socket close
  net: tls: handle backlogging of crypto requests
  net: tls: fix returned read length with async decrypt

John Fastabend (1):
  net: tls, fix WARNIING in __sk_msg_free

Sabrina Dubroca (2):
  tls: extract context alloc/initialization out of tls_set_sw_offload
  net: tls: fix use-after-free with partial reads and async decrypt

 include/net/tls.h |   5 --
 net/tls/tls_sw.c  | 223 ++++++++++++++++++++++++----------------------
 2 files changed, 116 insertions(+), 112 deletions(-)

Comments

Stefan Bader March 25, 2024, 1:24 p.m. UTC | #1
On 25.03.24 11:32, Juerg Haefliger wrote:
> This patch series fixes the following CVEs:
> CVE-2024-26582
> CVE-2024-26583
> CVE-2024-26584
> CVE-2024-26585
> 
> The patches are all cherry-picks from stable v6.6 so should eventually come in
> via an Ubuntu stable update.
> 
> Test case:
> 1) Enable async crypto:
>     $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
> 2) Enable TLS function tracing:
>     $ echo function_graph > /sys/kernel/tracing/current_tracer
>     $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
> 3) Run TLS kernel selftests from v6.8:
>     $ ./linux-6.8/tools/testing/selftests/net/tls
> 4) Verify:
>     - No call traces in the kernel log
>     - All modified TLS functions were called
>     - No additional unexpected TLS test failures
> 
> Note that the above test does *not* verify that the CVEs are actually fixed
> but merely tries to ensure that the kernel doesn't blow up when exercising
> the modified code paths.
> 
> Jakub Kicinski (5):
>    net: tls: factor out tls_*crypt_async_wait()
>    tls: fix race between async notify and socket close
>    tls: fix race between tx work scheduling and socket close
>    net: tls: handle backlogging of crypto requests
>    net: tls: fix returned read length with async decrypt
> 
> John Fastabend (1):
>    net: tls, fix WARNIING in __sk_msg_free
> 
> Sabrina Dubroca (2):
>    tls: extract context alloc/initialization out of tls_set_sw_offload
>    net: tls: fix use-after-free with partial reads and async decrypt
> 
>   include/net/tls.h |   5 --
>   net/tls/tls_sw.c  | 223 ++++++++++++++++++++++++----------------------
>   2 files changed, 116 insertions(+), 112 deletions(-)
> 

Cherry picks from linux-6.6.y and regression tested. I guess its due to 
similar issues and code paths but maybe a short explanation why 4 issues 
were combined under one submission would be nice. Not really necessary 
but personally I find it helpful if it is mentioned which kernel 
versions are affected (in this case I guess the oldest for any of the 
CVEs) by this.

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Portia Stephens March 27, 2024, 12:35 a.m. UTC | #2
On Mon, Mar 25, 2024 at 8:34 PM Juerg Haefliger
<juerg.haefliger@canonical.com> wrote:
>
> This patch series fixes the following CVEs:
> CVE-2024-26582
> CVE-2024-26583
> CVE-2024-26584
> CVE-2024-26585
>
> The patches are all cherry-picks from stable v6.6 so should eventually come in
> via an Ubuntu stable update.
>
> Test case:
> 1) Enable async crypto:
>    $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
> 2) Enable TLS function tracing:
>    $ echo function_graph > /sys/kernel/tracing/current_tracer
>    $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
> 3) Run TLS kernel selftests from v6.8:
>    $ ./linux-6.8/tools/testing/selftests/net/tls
> 4) Verify:
>    - No call traces in the kernel log
>    - All modified TLS functions were called
>    - No additional unexpected TLS test failures
>
> Note that the above test does *not* verify that the CVEs are actually fixed
> but merely tries to ensure that the kernel doesn't blow up when exercising
> the modified code paths.
>
> Jakub Kicinski (5):
>   net: tls: factor out tls_*crypt_async_wait()
>   tls: fix race between async notify and socket close
>   tls: fix race between tx work scheduling and socket close
>   net: tls: handle backlogging of crypto requests
>   net: tls: fix returned read length with async decrypt
>
> John Fastabend (1):
>   net: tls, fix WARNIING in __sk_msg_free
>
> Sabrina Dubroca (2):
>   tls: extract context alloc/initialization out of tls_set_sw_offload
>   net: tls: fix use-after-free with partial reads and async decrypt
>
>  include/net/tls.h |   5 --
>  net/tls/tls_sw.c  | 223 ++++++++++++++++++++++++----------------------
>  2 files changed, 116 insertions(+), 112 deletions(-)
>

patch 1 is already in mantic/master-next and the remaining will come
in via the 6.6.18 update which we will hopefully get to next week or
the week after.

Acked-by: Portia Stephens <portia.stephens@canonical.com>

> --
> 2.40.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Stefan Bader March 27, 2024, 10:52 a.m. UTC | #3
On 25.03.24 11:32, Juerg Haefliger wrote:
> This patch series fixes the following CVEs:
> CVE-2024-26582
> CVE-2024-26583
> CVE-2024-26584
> CVE-2024-26585
> 
> The patches are all cherry-picks from stable v6.6 so should eventually come in
> via an Ubuntu stable update.
> 
> Test case:
> 1) Enable async crypto:
>     $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
> 2) Enable TLS function tracing:
>     $ echo function_graph > /sys/kernel/tracing/current_tracer
>     $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
> 3) Run TLS kernel selftests from v6.8:
>     $ ./linux-6.8/tools/testing/selftests/net/tls
> 4) Verify:
>     - No call traces in the kernel log
>     - All modified TLS functions were called
>     - No additional unexpected TLS test failures
> 
> Note that the above test does *not* verify that the CVEs are actually fixed
> but merely tries to ensure that the kernel doesn't blow up when exercising
> the modified code paths.
> 
> Jakub Kicinski (5):
>    net: tls: factor out tls_*crypt_async_wait()
>    tls: fix race between async notify and socket close
>    tls: fix race between tx work scheduling and socket close
>    net: tls: handle backlogging of crypto requests
>    net: tls: fix returned read length with async decrypt
> 
> John Fastabend (1):
>    net: tls, fix WARNIING in __sk_msg_free
> 
> Sabrina Dubroca (2):
>    tls: extract context alloc/initialization out of tls_set_sw_offload
>    net: tls: fix use-after-free with partial reads and async decrypt
> 
>   include/net/tls.h |   5 --
>   net/tls/tls_sw.c  | 223 ++++++++++++++++++++++++----------------------
>   2 files changed, 116 insertions(+), 112 deletions(-)
> 

Applied to mantic:linux/master-next (added CVE number to already applied 
#1). Thanks.

-Stefan