lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 17 Feb 2020 12:39:08 +0200
From:   Boris Pismenny <borisp@...lanox.com>
To:     Rohit Maheshwari <rohitm@...lsio.com>, davem@...emloft.net,
        kuba@...nel.org, netdev@...r.kernel.org
Cc:     aviadye@...lanox.com, john.fastabend@...il.com,
        daniel@...earbox.net, manojmalviya@...lsio.com
Subject: Re: [PATCH net v3] net/tls: Fix to avoid gettig invalid tls record

On 2/16/2020 12:31 PM, Rohit Maheshwari wrote:
> Current code doesn't check if tcp sequence number is starting from (/after)
> 1st record's start sequnce number. It only checks if seq number is before
> 1st record's end sequnce number. This problem will always be a possibility
> in re-transmit case. If a record which belongs to a requested seq number is
> already deleted, tls_get_record will start looking into list and as per the
> check it will look if seq number is before the end seq of 1st record, which
> will always be true and will return 1st record always, it should in fact
> return NULL.
> As part of the fix, start looking each record only if the sequence number
> lies in the list else return NULL.
> There is one more check added, driver look for the start marker record to
> handle tcp packets which are before the tls offload start sequence number,
> hence return 1st record if the record is tls start marker and seq number is
> before the 1st record's starting sequence number.
>
> Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
> Signed-off-by: Rohit Maheshwari <rohitm@...lsio.com>
> ---
>  net/tls/tls_device.c | 21 ++++++++++++++++++++-
>  1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
> index cd91ad812291..00a26e66d361 100644
> --- a/net/tls/tls_device.c
> +++ b/net/tls/tls_device.c
> @@ -592,7 +592,7 @@ struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context,
>  				       u32 seq, u64 *p_record_sn)
>  {
>  	u64 record_sn = context->hint_record_sn;
> -	struct tls_record_info *info;
> +	struct tls_record_info *info, *last;
>  
>  	info = context->retransmit_hint;
>  	if (!info ||
> @@ -604,6 +604,25 @@ struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context,
>  						struct tls_record_info, list);
>  		if (!info)
>  			return NULL;
> +		/* send the start_marker record if seq number is before the
> +		 * tls offload start marker sequence number. This record is
> +		 * required to handle TCP packets which are before TLS offload
> +		 * started.
> +		 *  And if it's not start marker, look if this seq number
> +		 * belongs to the list.
> +		 */
> +		if (likely(!tls_record_is_start_marker(info))) {
> +			/* we have the first record, get the last record to see
> +			 * if this seq number belongs to the list.
> +			 */
> +			last = list_last_entry(&context->records_list,
> +					       struct tls_record_info, list);
> +			WARN_ON(!last);
> +
> +			if (!between(seq, tls_record_start_seq(info),
> +				     last->end_seq))
> +				return NULL;
> +		}
>  		record_sn = context->unacked_record_sn;
>  	}
>  

LGTM. Thanks Rohit

Reviewed-By: Boris Pismenny <borisp@...lanox.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ