From patchwork Mon Mar 25 10:32:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juerg Haefliger X-Patchwork-Id: 1915505 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V38R81Lvwz1yYJ for ; Mon, 25 Mar 2024 21:33:24 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rohdi-0000MG-Vr; Mon, 25 Mar 2024 10:33:15 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rohdY-0000JK-Hb for kernel-team@lists.ubuntu.com; Mon, 25 Mar 2024 10:33:04 +0000 Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 8303B3F682 for ; Mon, 25 Mar 2024 10:33:03 +0000 (UTC) Received: by mail-wr1-f69.google.com with SMTP id ffacd0b85a97d-33ed234bcb1so2362742f8f.0 for ; Mon, 25 Mar 2024 03:33:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711362783; x=1711967583; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EkKrBhxlaj5u4+kJoMIN0iVcFKAwNTlhRGkgx2tDBR4=; b=L2AwinxRp9pbpoxyJVHW6TpG5Ly+2gtZ6jFUYNdj5flW/XQwAYZk0N52JOJ9JL4ASW ksB5bU4wGPE5gfd9e5NI3meBCz+PuWsUzCxnWmvNH4k7L2zGA6UnQuZRZUVKaLutqIy+ MChO+Bk9YvARdBxNSXS0C8R02D9a44W3yELiUTlpgQPNfly11Z28uLVBSKPf5oBQtfcn 2ZULbQbNApVtyRMoQs8vtaS56ywEov/wMKZd93YnP/YEWBEJefyfxh0lq52iB5iUHN8f 03Fuf7hSBNq4dZ2bKqY1pIDh0fivJk1Z6BGWty+qo9pCl0KAhlwB1aAG+Hb6oCAhU7Ih /BlA== X-Gm-Message-State: AOJu0YyC/muAhPQ5GAqAaCwOr5PrsYOkD4UjY8pu3aPn1Tl1Sr82b28Y N8lSPG3PLKjTKyyf+uR+HE3ba89Xo25AHt4ufqKUZKpsqQV6gxja/6C2pmkPxpJD9g28+xZO2YN 30DJ3xzg/gHbKbLcs/kSIX91sdonTCqol93hApK31pEhB/4zQdgbclnsV8t98EwL/44hIczW78R 6hXS1rZgfV9A== X-Received: by 2002:a05:600c:1d28:b0:414:6a1d:2013 with SMTP id l40-20020a05600c1d2800b004146a1d2013mr5150487wms.16.1711362783224; Mon, 25 Mar 2024 03:33:03 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG6N2n/P7uxEFtEMWNI1glG7Nmpmm9Rhjfko8ytD3HiJxn3n8n/+LYk4U3glhjb5hlG80iQaw== X-Received: by 2002:a05:600c:1d28:b0:414:6a1d:2013 with SMTP id l40-20020a05600c1d2800b004146a1d2013mr5150470wms.16.1711362782826; Mon, 25 Mar 2024 03:33:02 -0700 (PDT) Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id fl17-20020a05600c0b9100b00414865a130bsm5011290wmb.31.2024.03.25.03.33.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Mar 2024 03:33:02 -0700 (PDT) From: Juerg Haefliger To: kernel-team@lists.ubuntu.com Subject: [SRU][M][PATCH 1/8] net: tls, fix WARNIING in __sk_msg_free Date: Mon, 25 Mar 2024 11:32:53 +0100 Message-Id: <20240325103300.494141-2-juerg.haefliger@canonical.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20240325103300.494141-1-juerg.haefliger@canonical.com> References: <20240325103300.494141-1-juerg.haefliger@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: John Fastabend CVE-2024-26583 [ Upstream commit dc9dfc8dc629e42f2234e3327b75324ffc752bc9 ] A splice with MSG_SPLICE_PAGES will cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg code to move the user provided pages from the msg into the msg_pl. This will loop over the msg until msg_pl is full, checked by sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer. If the user adds more pages to the msg than can fit in the msg_pl scatterlist (MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways. What actually happens though is we abort the msg to msg_pl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msg_data_left(msg) has more bytes to send and then attempts to fit them in the already full msg_pl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report. To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag. Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com Reported-by: Edward Adam Davis Fixes: fe1e81d4f73b ("tls/sw: Support MSG_SPLICE_PAGES") Reviewed-by: Jakub Kicinski Signed-off-by: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 02e368eb1444a4af649b73cbe2edd51780511d86 linux-6.6.y) [juergh: This is not strictly required for fixing the CVE but prevents a call trace when running the tls kernel selftests.] Signed-off-by: Juerg Haefliger --- net/tls/tls_sw.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index f55738a06def..882738d83f17 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1049,7 +1049,11 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, if (ret < 0) goto send_end; tls_ctx->pending_open_record_frags = true; - if (full_record || eor || sk_msg_full(msg_pl)) + + if (sk_msg_full(msg_pl)) + full_record = true; + + if (full_record || eor) goto copied; continue; }