From patchwork Mon Mar 25 10:32:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Juerg Haefliger <juerg.haefliger@canonical.com>
X-Patchwork-Id: 1915512
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4V38Ry1XYkz1yWy
	for <incoming@patchwork.ozlabs.org>; Mon, 25 Mar 2024 21:34:06 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1roheK-0000sP-8U; Mon, 25 Mar 2024 10:33:52 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <juerg.haefliger@canonical.com>)
 id 1rohdg-0000LH-2W
 for kernel-team@lists.ubuntu.com; Mon, 25 Mar 2024 10:33:12 +0000
Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com
 [209.85.167.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id A39713F74E
 for <kernel-team@lists.ubuntu.com>; Mon, 25 Mar 2024 10:33:11 +0000 (UTC)
Received: by mail-lf1-f72.google.com with SMTP id
 2adb3069b0e04-5148eaa60acso3905304e87.0
 for <kernel-team@lists.ubuntu.com>; Mon, 25 Mar 2024 03:33:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1711362790; x=1711967590;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=wVBx8JpHwHRbgeq4UDYyj3u27KTlGn3+AOEteF+/k+0=;
 b=hDFpZb9iQBglbI6SrOjMDNvgSfw4kr6Sw81IKthm7qeBLmnEedb/+e+9iLoKR4P9+w
 E9ADyJmLt4RGFL85RnnmxoYquFSGcAq6++so0qPjABXlOIJ9xPRVMsHva0y7QcBzoBTV
 RaLee8oFyLAklq4sf2Z0gOjUFpmKIC64gCZHoujG7NLsP1gBfb7H8S0bXbPN8x+cgeBb
 AzPnFN9wUkSRaBNscbaiVHnIFQUS51J0zUH+kcO0QCKNARJ7k9wyY0fM8Cmyw2rWXFeM
 tHKxokIft/flz5dhdzM2fDVNqvkdNiEw0wISqPmEIGDr9EHn4mfT0LNZl/PmttvQ99ed
 WI/w==
X-Gm-Message-State: AOJu0YwA5PWNtw62WNnE91wL/ebmNQ4m5hcZ89QiMu27tGQp4ad9tMlY
 4Xf3dYVqIKbi0w5OF86RZS7b/s7DW5OVjeAp758yJ4zWNusS7l2//P0vaN1pOoQ5/jRTk1vTXkx
 gbcsu5oPus4GY5m05sEHAaG9kSYPvLfeBRPraffc0LjrCFqgPdCd6BsRWOAsSoehhFzxgrI4GZ1
 vXGB9M09B0xA==
X-Received: by 2002:ac2:4190:0:b0:513:d1e3:b2b8 with SMTP id
 z16-20020ac24190000000b00513d1e3b2b8mr4288611lfh.37.1711362790533;
 Mon, 25 Mar 2024 03:33:10 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGhpX0tLQKdtiAbQDc1j0EkLn6THuBjrR5iW6rytNSVLKeLxLfFnWKgDNj+qQkDTWWDGW3jjA==
X-Received: by 2002:ac2:4190:0:b0:513:d1e3:b2b8 with SMTP id
 z16-20020ac24190000000b00513d1e3b2b8mr4288601lfh.37.1711362790201;
 Mon, 25 Mar 2024 03:33:10 -0700 (PDT)
Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id
 c10-20020adffb4a000000b0034174566ec4sm9127379wrs.16.2024.03.25.03.33.09
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 25 Mar 2024 03:33:09 -0700 (PDT)
From: Juerg Haefliger <juerg.haefliger@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][M][PATCH 7/8] net: tls: fix use-after-free with partial reads
 and async decrypt
Date: Mon, 25 Mar 2024 11:32:59 +0100
Message-Id: <20240325103300.494141-8-juerg.haefliger@canonical.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <20240325103300.494141-1-juerg.haefliger@canonical.com>
References: <20240325103300.494141-1-juerg.haefliger@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Sabrina Dubroca <sd@queasysnail.net>

CVE-2024-26582

[ Upstream commit 32b55c5ff9103b8508c1e04bfa5a08c64e7a925f ]

tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.

Fixes: fd31f3996af2 ("tls: rx: decrypt into a fresh skb")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d684763534b969cca1022e2a28645c7cc91f7fa5 linux-6.6.y)
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
---
 net/tls/tls_sw.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index ad7ed6c203a9..1a814907adfe 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -63,6 +63,7 @@ struct tls_decrypt_ctx {
 	u8 iv[MAX_IV_SIZE];
 	u8 aad[TLS_MAX_AAD_SIZE];
 	u8 tail;
+	bool free_sgout;
 	struct scatterlist sg[];
 };
 
@@ -187,7 +188,6 @@ static void tls_decrypt_done(void *data, int err)
 	struct aead_request *aead_req = data;
 	struct crypto_aead *aead = crypto_aead_reqtfm(aead_req);
 	struct scatterlist *sgout = aead_req->dst;
-	struct scatterlist *sgin = aead_req->src;
 	struct tls_sw_context_rx *ctx;
 	struct tls_decrypt_ctx *dctx;
 	struct tls_context *tls_ctx;
@@ -224,7 +224,7 @@ static void tls_decrypt_done(void *data, int err)
 	}
 
 	/* Free the destination pages if skb was not decrypted inplace */
-	if (sgout != sgin) {
+	if (dctx->free_sgout) {
 		/* Skip the first S/G entry as it points to AAD */
 		for_each_sg(sg_next(sgout), sg, UINT_MAX, pages) {
 			if (!sg)
@@ -1580,6 +1580,7 @@ static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov,
 	} else if (out_sg) {
 		memcpy(sgout, out_sg, n_sgout * sizeof(*sgout));
 	}
+	dctx->free_sgout = !!pages;
 
 	/* Prepare and submit AEAD request */
 	err = tls_do_decryption(sk, sgin, sgout, dctx->iv,