net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()

mainline inclusion from mainline-v6.3-rc2 commit 49c47cc2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NIUR CVE: CVE-2023-28466 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 --------------------------- ctx->crypto_send.info is not protected by lock_sock in do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() and error paths of do_tls_setsockopt_conf() may lead to a use-after-free or null-deref. More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ Fixes: 3c4d7559 ("tls: kernel TLS support") Signed-off-by: N Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Liu Jian <liujian56@huawei.com> Conflicts: net/tls/tls_main.c Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>

net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
mainline inclusion from mainline-v6.3-rc2 commit 49c47cc2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6NIUR CVE: CVE-2023-28466 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 --------------------------- ctx->crypto_send.info is not protected by lock_sock in do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() and error paths of do_tls_setsockopt_conf() may lead to a use-after-free or null-deref. More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ Fixes: 3c4d7559 ("tls: kernel TLS support") Signed-off-by: N Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Liu Jian <liujian56@huawei.com> Conflicts: net/tls/tls_main.c Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com>
0267c66e · Hangyu Hua · Jialin Zhang · 8a2a4e91 · 0267c66e
隐藏空白更改
内联并排

Showing with 5 addition and 4 deletion

net/tls/tls_main.c net/tls/tls_main.c +5 -4

未找到文件。
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
 			rc = -EINVAL;
 			goto out;
 		}
-		lock_sock(sk);
 		memcpy(crypto_info_aes_gcm_128->iv,
 		       cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
 		       TLS_CIPHER_AES_GCM_128_IV_SIZE);
 		memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
 		       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
-		release_sock(sk);
 		if (copy_to_user(optval,
 				 crypto_info_aes_gcm_128,
 				 sizeof(*crypto_info_aes_gcm_128)))
@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
 			rc = -EINVAL;
 			goto out;
 		}
-		lock_sock(sk);
 		memcpy(crypto_info_aes_gcm_256->iv,
 		       cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
 		       TLS_CIPHER_AES_GCM_256_IV_SIZE);
 		memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
 		       TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
-		release_sock(sk);
 		if (copy_to_user(optval,
 				 crypto_info_aes_gcm_256,
 				 sizeof(*crypto_info_aes_gcm_256)))
@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
 {
 	int rc = 0;

+	lock_sock(sk);
+
 	switch (optname) {
 	case TLS_TX:
 	case TLS_RX:
@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
 		rc = -ENOPROTOOPT;
 		break;
 	}
+
+	release_sock(sk);
+
 	return rc;
 }