| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230906204727.08a79e00@kernel.org> Date: Wed, 6 Sep 2023 20:47:27 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Sabrina Dubroca <sd@...asysnail.net> Cc: netdev@...r.kernel.org, Dave Watson <davejwatson@...com>, Vakul Garg <vakul.garg@....com>, Boris Pismenny <borisp@...dia.com>, John Fastabend <john.fastabend@...il.com> Subject: Re: [PATCH net 5/5] tls: don't decrypt the next record if it's of a different type On Wed, 6 Sep 2023 19:08:35 +0200 Sabrina Dubroca wrote: > If the next record is of a different type, we won't copy it to > userspace in this round, tls_record_content_type will stop us just > after decryption. Skip decryption until the next recvmsg() call. > > This fixes a use-after-free when a data record is decrypted > asynchronously but doesn't fill the userspace buffer, and the next > record is non-data, for example in the bad_cmsg selftest. What's the UAF on? > diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c > index f80a2ea1dd7e..86b835b15872 100644 > --- a/net/tls/tls_sw.c > +++ b/net/tls/tls_sw.c > @@ -2010,6 +2010,9 @@ int tls_sw_recvmsg(struct sock *sk, > else > darg.async = false; > > + if (ctx->async_capable && control && tlm->control != control) > + goto recv_end;
Powered by blists - more mailing lists