Skip to content

Commit 49c47cc

Browse files
HBh25Ykuba-moo
HBh25Y
authored and
kuba-moo
committed
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
ctx->crypto_send.info is not protected by lock_sock in do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() and error paths of do_tls_setsockopt_conf() may lead to a use-after-free or null-deref. More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ Fixes: 3c4d755 ("tls: kernel TLS support") Signed-off-by: Hangyu Hua <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]>
1 parent 81563d8 commit 49c47cc

File tree

1 file changed

+5
-18
lines changed

1 file changed

+5
-18
lines changed

net/tls/tls_main.c

Lines changed: 5 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -405,13 +405,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
405405
rc = -EINVAL;
406406
goto out;
407407
}
408-
lock_sock(sk);
409408
memcpy(crypto_info_aes_gcm_128->iv,
410409
cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
411410
TLS_CIPHER_AES_GCM_128_IV_SIZE);
412411
memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
413412
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
414-
release_sock(sk);
415413
if (copy_to_user(optval,
416414
crypto_info_aes_gcm_128,
417415
sizeof(*crypto_info_aes_gcm_128)))
@@ -429,13 +427,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
429427
rc = -EINVAL;
430428
goto out;
431429
}
432-
lock_sock(sk);
433430
memcpy(crypto_info_aes_gcm_256->iv,
434431
cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
435432
TLS_CIPHER_AES_GCM_256_IV_SIZE);
436433
memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
437434
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
438-
release_sock(sk);
439435
if (copy_to_user(optval,
440436
crypto_info_aes_gcm_256,
441437
sizeof(*crypto_info_aes_gcm_256)))
@@ -451,13 +447,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
451447
rc = -EINVAL;
452448
goto out;
453449
}
454-
lock_sock(sk);
455450
memcpy(aes_ccm_128->iv,
456451
cctx->iv + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
457452
TLS_CIPHER_AES_CCM_128_IV_SIZE);
458453
memcpy(aes_ccm_128->rec_seq, cctx->rec_seq,
459454
TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
460-
release_sock(sk);
461455
if (copy_to_user(optval, aes_ccm_128, sizeof(*aes_ccm_128)))
462456
rc = -EFAULT;
463457
break;
@@ -472,13 +466,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
472466
rc = -EINVAL;
473467
goto out;
474468
}
475-
lock_sock(sk);
476469
memcpy(chacha20_poly1305->iv,
477470
cctx->iv + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
478471
TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
479472
memcpy(chacha20_poly1305->rec_seq, cctx->rec_seq,
480473
TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
481-
release_sock(sk);
482474
if (copy_to_user(optval, chacha20_poly1305,
483475
sizeof(*chacha20_poly1305)))
484476
rc = -EFAULT;
@@ -493,13 +485,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
493485
rc = -EINVAL;
494486
goto out;
495487
}
496-
lock_sock(sk);
497488
memcpy(sm4_gcm_info->iv,
498489
cctx->iv + TLS_CIPHER_SM4_GCM_SALT_SIZE,
499490
TLS_CIPHER_SM4_GCM_IV_SIZE);
500491
memcpy(sm4_gcm_info->rec_seq, cctx->rec_seq,
501492
TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE);
502-
release_sock(sk);
503493
if (copy_to_user(optval, sm4_gcm_info, sizeof(*sm4_gcm_info)))
504494
rc = -EFAULT;
505495
break;
@@ -513,13 +503,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
513503
rc = -EINVAL;
514504
goto out;
515505
}
516-
lock_sock(sk);
517506
memcpy(sm4_ccm_info->iv,
518507
cctx->iv + TLS_CIPHER_SM4_CCM_SALT_SIZE,
519508
TLS_CIPHER_SM4_CCM_IV_SIZE);
520509
memcpy(sm4_ccm_info->rec_seq, cctx->rec_seq,
521510
TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE);
522-
release_sock(sk);
523511
if (copy_to_user(optval, sm4_ccm_info, sizeof(*sm4_ccm_info)))
524512
rc = -EFAULT;
525513
break;
@@ -535,13 +523,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
535523
rc = -EINVAL;
536524
goto out;
537525
}
538-
lock_sock(sk);
539526
memcpy(crypto_info_aria_gcm_128->iv,
540527
cctx->iv + TLS_CIPHER_ARIA_GCM_128_SALT_SIZE,
541528
TLS_CIPHER_ARIA_GCM_128_IV_SIZE);
542529
memcpy(crypto_info_aria_gcm_128->rec_seq, cctx->rec_seq,
543530
TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE);
544-
release_sock(sk);
545531
if (copy_to_user(optval,
546532
crypto_info_aria_gcm_128,
547533
sizeof(*crypto_info_aria_gcm_128)))
@@ -559,13 +545,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
559545
rc = -EINVAL;
560546
goto out;
561547
}
562-
lock_sock(sk);
563548
memcpy(crypto_info_aria_gcm_256->iv,
564549
cctx->iv + TLS_CIPHER_ARIA_GCM_256_SALT_SIZE,
565550
TLS_CIPHER_ARIA_GCM_256_IV_SIZE);
566551
memcpy(crypto_info_aria_gcm_256->rec_seq, cctx->rec_seq,
567552
TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE);
568-
release_sock(sk);
569553
if (copy_to_user(optval,
570554
crypto_info_aria_gcm_256,
571555
sizeof(*crypto_info_aria_gcm_256)))
@@ -614,11 +598,9 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
614598
if (len < sizeof(value))
615599
return -EINVAL;
616600

617-
lock_sock(sk);
618601
value = -EINVAL;
619602
if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
620603
value = ctx->rx_no_pad;
621-
release_sock(sk);
622604
if (value < 0)
623605
return value;
624606

@@ -635,6 +617,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
635617
{
636618
int rc = 0;
637619

620+
lock_sock(sk);
621+
638622
switch (optname) {
639623
case TLS_TX:
640624
case TLS_RX:
@@ -651,6 +635,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
651635
rc = -ENOPROTOOPT;
652636
break;
653637
}
638+
639+
release_sock(sk);
640+
654641
return rc;
655642
}
656643

0 commit comments

Comments
 (0)