| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Oct 2023 18:25:55 -0700 From: Jakub Kicinski <kuba@...nel.org> To: Juntong Deng <juntong.deng@...look.com> Cc: borisp@...dia.com, john.fastabend@...il.com, davem@...emloft.net, edumazet@...gle.com, pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kernel-mentees@...ts.linuxfoundation.org, syzbot+29c22ea2d6b2c5fd2eae@...kaller.appspotmail.com, Sabrina Dubroca <sd@...asysnail.net> Subject: Re: [PATCH v2] net/tls: Fix slab-use-after-free in tls_encrypt_done On Wed, 18 Oct 2023 00:22:15 +0800 Juntong Deng wrote: > In the current implementation, ctx->async_wait.completion is completed > after spin_lock_bh, which causes tls_sw_release_resources_tx to > continue executing and return to tls_sk_proto_cleanup, then return > to tls_sk_proto_close, and after that enter tls_sw_free_ctx_tx to kfree > the entire struct tls_sw_context_tx (including ctx->encrypt_compl_lock). > > Since ctx->encrypt_compl_lock has been freed, subsequent spin_unlock_bh > will result in slab-use-after-free error. Due to SMP, even using > spin_lock_bh does not prevent tls_sw_release_resources_tx from continuing > on other CPUs. After tls_sw_release_resources_tx is woken up, there is no > attempt to hold ctx->encrypt_compl_lock again, therefore everything > described above is possible. Whoever triggered the Tx should wait for all outstanding encryption to finish before exiting sendmsg() (or alike). This looks like a band-aid. Sabrina is working on fixes for the async code, lets get those in first before attempting spot fixes. -- pw-bot: cr
Powered by blists - more mailing lists