lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <8d7a4c203ef9ac8ac359dcfd6684e8ec074f8e84@linux.dev>
Date: Tue, 15 Apr 2025 10:43:13 +0000
From: "Jiayuan Chen" <jiayuan.chen@...ux.dev>
To: "Ihor Solodrai" <ihor.solodrai@...ux.dev>, "Jakub Kicinski"
 <kuba@...nel.org>, davem@...emloft.net
Cc: netdev@...r.kernel.org, edumazet@...gle.com, pabeni@...hat.com,
 andrew+netdev@...n.ch, horms@...nel.org, borisp@...dia.com,
 john.fastabend@...il.com, sd@...asysnail.net, "Jakub Kicinski"
 <kuba@...nel.org>, syzbot+b4cd76826045a1eb93c1@...kaller.appspotmail.com,
 bpf@...r.kernel.org, "Alexei Starovoitov" <ast@...nel.org>
Subject: Re: [PATCH net 1/2] net: tls: explicitly disallow disconnect

April 15, 2025 at 11:16, "Ihor Solodrai" <ihor.solodrai@...ux.dev> wrote:



> 
> On 4/4/25 11:03 AM, Jakub Kicinski wrote:
> 
> > 
> > syzbot discovered that it can disconnect a TLS socket and then
> > 
> >  run into all sort of unexpected corner cases. I have a vague
> > 
> >  recollection of Eric pointing this out to us a long time ago.
> > 
> >  Supporting disconnect is really hard, for one thing if offload
> > 
> >  is enabled we'd need to wait for all packets to be _acked_.
> > 
> >  Disconnect is not commonly used, disallow it.
> > 
> >  The immediate problem syzbot run into is the warning in the strp,
> > 
> >  but that's just the easiest bug to trigger:
> > 
> >  WARNING: CPU: 0 PID: 5834 at net/tls/tls_strp.c:486 tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
> > 
> >  RIP: 0010:tls_strp_msg_load+0x72e/0xa80 net/tls/tls_strp.c:486
> > 
> >  Call Trace:
> > 
> >  <TASK>
> > 
> >  tls_rx_rec_wait+0x280/0xa60 net/tls/tls_sw.c:1363
> > 
> >  tls_sw_recvmsg+0x85c/0x1c30 net/tls/tls_sw.c:2043
> > 
> >  inet6_recvmsg+0x2c9/0x730 net/ipv6/af_inet6.c:678
> > 
> >  sock_recvmsg_nosec net/socket.c:1023 [inline]
> > 
> >  sock_recvmsg+0x109/0x280 net/socket.c:1045
> > 
> >  __sys_recvfrom+0x202/0x380 net/socket.c:2237
> > 
> >  Fixes: 3c4d7559159b ("tls: kernel TLS support")
> > 
> >  Reported-by: syzbot+b4cd76826045a1eb93c1@...kaller.appspotmail.com
> > 
> >  Signed-off-by: Jakub Kicinski <kuba@...nel.org>
> > 
> 
> Hi everyone.
> 
> This patch has broken a BPF selftest and as a result BPF CI:
> 
> * https://github.com/kernel-patches/bpf/actions/runs/14458537639
> 
> * https://github.com/kernel-patches/bpf/actions/runs/14457178732
> 
> The test in question is test_sockmap_ktls_disconnect_after_delete
> 
> (tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c) [1].
> 
> Since the test is about disconnect use-case, and the patch disallows
> 
> it, I assume it's appropriate to simply remove the test?
> 
> Please let me know. Thanks.
> 
> [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/tree/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c#n28
> 
> > 
> > ---
> >  net/tls/tls_main.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >  diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
> >  index cb86b0bf9a53..a3ccb3135e51 100644
> >  --- a/net/tls/tls_main.c
> >  +++ b/net/tls/tls_main.c
> >  @@ -852,6 +852,11 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
> >  return do_tls_setsockopt(sk, optname, optval, optlen);
> >  }
> > 
> >  
> >  +static int tls_disconnect(struct sock *sk, int flags)
> > 
> >  +{
> >  + return -EOPNOTSUPP;
> >  +}
> >  +
> >  struct tls_context *tls_ctx_create(struct sock *sk)
> >  {
> >  struct inet_connection_sock *icsk = inet_csk(sk);
> > 
> >  @@ -947,6 +952,7 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
> > 
> >  prot[TLS_BASE][TLS_BASE] = *base;
> >  prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt;
> >  prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt;
> >  + prot[TLS_BASE][TLS_BASE].disconnect = tls_disconnect;
> >  prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close;
> > 
> > 
> >  prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE];
> >
>

The original selftest patch d1ba1204f2ee was to re-produce the endless
loop fiexed by 4da6a196f93b.

sk->sk_prot->unhash
        tcp_bpf_unhash
            sk->sk_prot->unhash
                ...
It's try to use disconnect to trigger unhash handler.
I believe we can remove it and use another selftest
instead later.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ