| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200218114007.0d53d9cc@kicinski-fedora-pc1c0hjn.DHCP.thefacebook.com>
Date: Tue, 18 Feb 2020 11:40:07 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Rohit Maheshwari <rohitm@...lsio.com>
Cc: davem@...emloft.net, netdev@...r.kernel.org, borisp@...lanox.com,
aviadye@...lanox.com, john.fastabend@...il.com,
daniel@...earbox.net, manojmalviya@...lsio.com
Subject: Re: [PATCH net v3] net/tls: Fix to avoid gettig invalid tls record
On Sun, 16 Feb 2020 16:01:08 +0530 Rohit Maheshwari wrote:
> Current code doesn't check if tcp sequence number is starting from (/after)
> 1st record's start sequnce number. It only checks if seq number is before
> 1st record's end sequnce number. This problem will always be a possibility
> in re-transmit case. If a record which belongs to a requested seq number is
> already deleted, tls_get_record will start looking into list and as per the
> check it will look if seq number is before the end seq of 1st record, which
> will always be true and will return 1st record always, it should in fact
> return NULL.
> As part of the fix, start looking each record only if the sequence number
> lies in the list else return NULL.
> There is one more check added, driver look for the start marker record to
> handle tcp packets which are before the tls offload start sequence number,
> hence return 1st record if the record is tls start marker and seq number is
> before the 1st record's starting sequence number.
>
> Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
> Signed-off-by: Rohit Maheshwari <rohitm@...lsio.com>
> ---
> net/tls/tls_device.c | 21 ++++++++++++++++++++-
> 1 file changed, 20 insertions(+), 1 deletion(-)
>
> diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
> index cd91ad812291..00a26e66d361 100644
> --- a/net/tls/tls_device.c
> +++ b/net/tls/tls_device.c
> @@ -592,7 +592,7 @@ struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context,
> u32 seq, u64 *p_record_sn)
> {
> u64 record_sn = context->hint_record_sn;
> - struct tls_record_info *info;
> + struct tls_record_info *info, *last;
>
> info = context->retransmit_hint;
> if (!info ||
> @@ -604,6 +604,25 @@ struct tls_record_info *tls_get_record(struct tls_offload_context_tx *context,
> struct tls_record_info, list);
> if (!info)
> return NULL;
> + /* send the start_marker record if seq number is before the
> + * tls offload start marker sequence number. This record is
> + * required to handle TCP packets which are before TLS offload
> + * started.
> + * And if it's not start marker, look if this seq number
> + * belongs to the list.
> + */
> + if (likely(!tls_record_is_start_marker(info))) {
> + /* we have the first record, get the last record to see
> + * if this seq number belongs to the list.
> + */
> + last = list_last_entry(&context->records_list,
> + struct tls_record_info, list);
> + WARN_ON(!last);
The logic looks good, but this WARN_ON() does not make much sense.
list_last_entry() never returns NULL.
I think you can just drop this check, if list had a first entry, it
must have last, the caller is supposed to hold the lock which prevents
removal.
> + if (!between(seq, tls_record_start_seq(info),
> + last->end_seq))
> + return NULL;
> + }
> record_sn = context->unacked_record_sn;
> }
>
Powered by blists - more mailing lists