lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZP7bAbz6I8L6Yirp@hog>
Date: Mon, 11 Sep 2023 11:16:49 +0200
From: Sabrina Dubroca <sd@...asysnail.net>
To: Liu Jian <liujian56@...wei.com>
Cc: borisp@...dia.com, john.fastabend@...il.com, kuba@...nel.org,
	davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com,
	vfedorenko@...ek.ru, netdev@...r.kernel.org
Subject: Re: [PATCH net v2] net/tls: do not free tls_rec on async operation
 in bpf_exec_tx_verdict()

2023-09-09, 16:14:34 +0800, Liu Jian wrote:
> I got the below warning when do fuzzing test:
> BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
> Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
> 
> CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G           OE
> Hardware name: linux,dummy-virt (DT)
> Workqueue: pencrypt_parallel padata_parallel_worker
> Call trace:
>  dump_backtrace+0x0/0x420
>  show_stack+0x34/0x44
>  dump_stack+0x1d0/0x248
>  __kasan_report+0x138/0x140
>  kasan_report+0x44/0x6c
>  __asan_load4+0x94/0xd0
>  scatterwalk_copychunks+0x320/0x470
>  skcipher_next_slow+0x14c/0x290
>  skcipher_walk_next+0x2fc/0x480
>  skcipher_walk_first+0x9c/0x110
>  skcipher_walk_aead_common+0x380/0x440
>  skcipher_walk_aead_encrypt+0x54/0x70
>  ccm_encrypt+0x13c/0x4d0
>  crypto_aead_encrypt+0x7c/0xfc
>  pcrypt_aead_enc+0x28/0x84
>  padata_parallel_worker+0xd0/0x2dc
>  process_one_work+0x49c/0xbdc
>  worker_thread+0x124/0x880
>  kthread+0x210/0x260
>  ret_from_fork+0x10/0x18
> 
> This is because the value of rec_seq of tls_crypto_info configured by the
> user program is too large, for example, 0xffffffffffffff. In addition, TLS
> is asynchronously accelerated. When tls_do_encryption() returns
> -EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
> skmsg is released before the asynchronous encryption process ends. As a
> result, the UAF problem occurs during the asynchronous processing of the
> encryption module.
> 
> If the operation is asynchronous and the encryption module returns
> EINPROGRESS, do not free the record information.
> 
> Fixes: 635d93981786 ("net/tls: free record only on encryption error")
> Signed-off-by: Liu Jian <liujian56@...wei.com>

Reviewed-by: Sabrina Dubroca <sd@...asysnail.net>

-- 
Sabrina

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ