| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180116090037.44423-1-ilyal@mellanox.com>
Date: Tue, 16 Jan 2018 11:00:37 +0200
From: Ilya Lesokhin <ilyal@...lanox.com>
To: netdev@...r.kernel.org, davem@...emloft.net
Cc: davejwatson@...com, Ilya Lesokhin <ilyal@...lanox.com>
Subject: [PATCH net 1/1] net/tls: Only attach to sockets in ESTABLISHED state
Calling accept on a TCP socket with a TLS ulp attached results
in two sockets that share the same ulp context.
The ulp context is freed while a socket is destroyed, so
after one of the sockets is released, the second second will
trigger a use after free when it tries to access the ulp context
attached to it.
We restrict the TLS ulp to sockets in ESTABLISHED state
to prevent the scenario above.
Fixes: 3c4d755 ('tls: kernel TLS support')
Reported-by: syzbot+904e7cd6c5c741609228@...kaller.appspotmail.com
Signed-off-by: Ilya Lesokhin <ilyal@...lanox.com>
---
net/tls/tls_main.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index e07ee3ae0023..a1a4e50acb53 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -454,6 +454,15 @@ static int tls_init(struct sock *sk)
struct tls_context *ctx;
int rc = 0;
+ /* The TLS ulp is correnctly supported only for TCP sockets
+ * in ESTABLISHED state.
+ * Supporting sockets in TCP_LISTEN state will require us
+ * to modify the accept implementation to clone rather then
+ * share the ulp context.
+ */
+ if (sk->sk_state != TCP_ESTABLISHED)
+ return -ENOTSUPP;
+
/* allocate tls context */
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx) {
--
2.15.0.317.g14c63a9
Powered by blists - more mailing lists