| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Nov 2020 18:12:49 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Vadim Fedorenko <vfedorenko@...ek.ru>
Cc: Boris Pismenny <borisp@...dia.com>,
Aviad Yehezkel <aviadye@...dia.com>, netdev@...r.kernel.org
Subject: Re: [net] net/tls: fix corrupted data in recvmsg
On Sat, 14 Nov 2020 07:09:42 +0300 Vadim Fedorenko wrote:
> If tcp socket has more data than Encrypted Handshake Message then
> tls_sw_recvmsg will try to decrypt next record instead of returning
> full control message to userspace as mentioned in comment. The next
> message - usually Application Data - gets corrupted because it uses
> zero copy for decryption that's why the data is not stored in skb
> for next iteration. Disable zero copy for this case.
>
> Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
> Signed-off-by: Vadim Fedorenko <vfedorenko@...ek.ru>
Do you have some BPF in the mix?
I don't see how we would try to go past a non-data record otherwise,
since the loop ends like this:
if (tls_sw_advance_skb(sk, skb, chunk)) {
/* Return full control message to
* userspace before trying to parse
* another message type
*/
msg->msg_flags |= MSG_EOR;
if (ctx->control != TLS_RECORD_TYPE_DATA)
goto recv_end;
} else {
break;
}
Powered by blists - more mailing lists