From patchwork Thu Sep  5 14:26:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Juerg Haefliger <juerg.haefliger@canonical.com>
X-Patchwork-Id: 1981297
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4X01s54kGKz1yfv
	for <incoming@patchwork.ozlabs.org>; Fri,  6 Sep 2024 00:27:05 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1smDRp-0006CV-Rp; Thu, 05 Sep 2024 14:26:57 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <juerg.haefliger@canonical.com>)
 id 1smDRo-0006AW-8m
 for kernel-team@lists.ubuntu.com; Thu, 05 Sep 2024 14:26:56 +0000
Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com
 [209.85.167.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DAE4B3F04D
 for <kernel-team@lists.ubuntu.com>; Thu,  5 Sep 2024 14:26:55 +0000 (UTC)
Received: by mail-lf1-f71.google.com with SMTP id
 2adb3069b0e04-5334acbac00so758090e87.0
 for <kernel-team@lists.ubuntu.com>; Thu, 05 Sep 2024 07:26:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1725546415; x=1726151215;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=11Ovyx0sGjBoxMPV75d1q+bFcGkYjwcly3xwMte8QZk=;
 b=miGYXqhCS5Z7OH0NWRc+b/SgvjO6gRFRnl29gnXjyLVnShJkrI2WA6I9v0/8MBHH6j
 QusgvJOn+A962ldBgWbsKlgPR+JfSoDYGwS97hv4oHb9Z580SbbpDB/1Ki2u3FG5oOBJ
 YwXW9d3zFQJhNHz4eSVfqpHJC6D/EiRuS0RsxmlCneZ7dGAr70CC5+JouxUp0qcEVmpK
 9oVb9W3/34NrucKnbkNvQq4R/OFPer1vc25fKP9fa/i65RcnM85oq1tmcsP3+ZLiMTG+
 mb9OA6fDQ9bWcwFbGFXoD3XOTlAbZL6byrPmwIGoyQnN2he0fOqIl/9WYXZbLFSF/q/X
 wX2A==
X-Gm-Message-State: AOJu0Yyj9TDUKm6+wG7N5FaGRWT83Ykt3EwaOgCJoftHReBx19emLN/4
 fpAWa3Lipia7FrdnECjsebqki/QX6NPgmT8NVUROupIBbWc+Gykt2thiNa+CkoTayIYScqIlJcO
 do6Md52Pzl/42EJMHsROGfImv+1cvMqc5RO+FF9keHOZG0O3MxlhPNoXxCO+SBXUET3NhM4pdNK
 MPef7OLzxaZw==
X-Received: by 2002:a05:6512:4025:b0:533:4b70:8722 with SMTP id
 2adb3069b0e04-53546b033f5mr14958303e87.15.1725546415112;
 Thu, 05 Sep 2024 07:26:55 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFbPkohqiT0dPmhmRS5pr0hjElux4b7JUxdO7432NXdjfx30/xAy+rZneenjEYaxI++AvOT6g==
X-Received: by 2002:a05:6512:4025:b0:533:4b70:8722 with SMTP id
 2adb3069b0e04-53546b033f5mr14958252e87.15.1725546413796;
 Thu, 05 Sep 2024 07:26:53 -0700 (PDT)
Received: from localhost ([81.221.247.52]) by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-a8a623a45b0sm146713766b.143.2024.09.05.07.26.53
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 05 Sep 2024 07:26:53 -0700 (PDT)
From: Juerg Haefliger <juerg.haefliger@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 1/3] tls: rx: coalesce exit paths in tls_decrypt_sg()
Date: Thu,  5 Sep 2024 16:26:42 +0200
Message-ID: 
 <bae1c6098b44d13970786d86bf444b8a661bf138.1725545867.git.juerg.haefliger@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <jammy.cover.1725545867.git.juerg.haefliger@canonical.com>
References: 
 <c33f68db9dd7b44b4c89cfe5685d410a5fd4deb5.1725545863.git.juerg.haefliger@canonical.com>
 <jammy.cover.1725545867.git.juerg.haefliger@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jakub Kicinski <kuba@kernel.org>

Jump to the free() call, instead of having to remember
to free the memory in multiple places.

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(backported from commit 03957d84055e59235c7d57c95a37617bd3aa5646)
[juergh: Adjusted context.]
CVE-2024-26800
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
---
 net/tls/tls_sw.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 065454136be7..02d2e883d476 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1501,10 +1501,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
 	err = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
 			    iv + iv_offset + prot->salt_size,
 			    prot->iv_size);
-	if (err < 0) {
-		kfree(mem);
-		return err;
-	}
+	if (err < 0)
+		goto exit_free;
 	if (prot->version == TLS_1_3_VERSION ||
 	    prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305)
 		memcpy(iv + iv_offset, tls_ctx->rx.iv,
@@ -1525,10 +1523,8 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
 	err = skb_to_sgvec(skb, &sgin[1],
 			   rxm->offset + prot->prepend_size,
 			   rxm->full_len - prot->prepend_size);
-	if (err < 0) {
-		kfree(mem);
-		return err;
-	}
+	if (err < 0)
+		goto exit_free;
 
 	if (n_sgout) {
 		if (out_iov) {
@@ -1561,7 +1557,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb,
 	/* Release the pages in case iov was mapped to pages */
 	for (; pages > 0; pages--)
 		put_page(sg_page(&sgout[pages]));
-
+exit_free:
 	kfree(mem);
 	return err;
 }