lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YoXm2MIxa6XOvUZe@samus.usersys.redhat.com>
Date:   Thu, 19 May 2022 08:42:32 +0200
From:   Artem Savkov <asavkov@...hat.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     davem@...emloft.net, netdev@...r.kernel.org, edumazet@...gle.com,
        pabeni@...hat.com, borisp@...dia.com, john.fastabend@...il.com,
        daniel@...earbox.net
Subject: Re: [PATCH net-next] net: tls: fix messing up lists when bpf enabled

On Wed, May 18, 2022 at 01:56:44PM -0700, Jakub Kicinski wrote:
> Artem points out that skb may try to take over the skb and
                        ^^^ I think you meant "bpf"

> queue it to its own list. Unlink the skb before calling out.
> 
> Fixes: b1a2c1786330 ("tls: rx: clear ctx->recv_pkt earlier")
> Reported-by: Artem Savkov <asavkov@...hat.com>
Tested-by: Artem Savkov <asavkov@...hat.com>

> Signed-off-by: Jakub Kicinski <kuba@...nel.org>
> ---
> CC: borisp@...dia.com
> CC: john.fastabend@...il.com
> CC: daniel@...earbox.net
> ---
>  net/tls/tls_sw.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index 939d1673f508..0513f82b8537 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -1837,15 +1837,17 @@ int tls_sw_recvmsg(struct sock *sk,
>  			bool partially_consumed = chunk > len;
>  
>  			if (bpf_strp_enabled) {
> +				/* BPF may try to queue the skb */
> +				__skb_unlink(skb, &ctx->rx_list);
>  				err = sk_psock_tls_strp_read(psock, skb);
>  				if (err != __SK_PASS) {
>  					rxm->offset = rxm->offset + rxm->full_len;
>  					rxm->full_len = 0;
> -					__skb_unlink(skb, &ctx->rx_list);
>  					if (err == __SK_DROP)
>  						consume_skb(skb);
>  					continue;
>  				}
> +				__skb_queue_tail(&ctx->rx_list, skb);
>  			}
>  
>  			if (partially_consumed)
> -- 
> 2.34.3
> 

-- 
 Artem

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ