lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <aDika2FRd4n+VRmZ@pop-os.localdomain>
Date: Thu, 29 May 2025 11:16:11 -0700
From: Cong Wang <xiyou.wangcong@...il.com>
To: Jiayuan Chen <jiayuan.chen@...ux.dev>
Cc: bpf@...r.kernel.org, Boris Pismenny <borisp@...dia.com>,
	John Fastabend <john.fastabend@...il.com>,
	Jakub Kicinski <kuba@...nel.org>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Andrii Nakryiko <andrii@...nel.org>,
	Eduard Zingerman <eddyz87@...il.com>,
	Mykola Lysenko <mykolal@...com>,
	Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Martin KaFai Lau <martin.lau@...ux.dev>, Song Liu <song@...nel.org>,
	Yonghong Song <yonghong.song@...ux.dev>,
	KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>,
	Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
	Shuah Khan <shuah@...nel.org>, Ihor Solodrai <isolodrai@...a.com>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-kselftest@...r.kernel.org
Subject: Re: [PATCH bpf-next v1 1/2] bpf,ktls: Fix data corruption when using
 bpf_msg_pop_data() in ktls

On Fri, May 23, 2025 at 09:18:58PM +0800, Jiayuan Chen wrote:
> When sending plaintext data, we initially calculated the corresponding
> ciphertext length. However, if we later reduced the plaintext data length
> via socket policy, we failed to recalculate the ciphertext length.
> 
> This results in transmitting buffers containing uninitialized data during
> ciphertext transmission.
> 
> This causes uninitialized bytes to be appended after a complete
> "Application Data" packet, leading to errors on the receiving end when
> parsing TLS record.
> 
> Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
> Reported-by: Cong Wang <xiyou.wangcong@...il.com>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>
> ---
>  net/tls/tls_sw.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
> index fc88e34b7f33..b23a4655be6a 100644
> --- a/net/tls/tls_sw.c
> +++ b/net/tls/tls_sw.c
> @@ -872,6 +872,21 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
>  		delta = msg->sg.size;
>  		psock->eval = sk_psock_msg_verdict(sk, psock, msg);
>  		delta -= msg->sg.size;
> +
> +		if ((s32)delta > 0) {
> +			/* It indicates that we executed bpf_msg_pop_data(),
> +			 * causing the plaintext data size to decrease.
> +			 * Therefore the encrypted data size also needs to
> +			 * correspondingly decrease. We only need to subtract
> +			 * delta to calculate the new ciphertext length since
> +			 * ktls does not support block encryption.
> +			 */
> +			if (!WARN_ON_ONCE(!ctx->open_rec)) {

I am wondering if we need to WARN here? Because the code below this
handles it gracefully:

 931                 bool reset_eval = !ctx->open_rec;
 932 
 933                 rec = ctx->open_rec;
 934                 if (rec) {
 935                         msg = &rec->msg_plaintext;
 936                         if (!msg->apply_bytes)
 937                                 reset_eval = true;
 938                 }
 939                 if (reset_eval) {
 940                         psock->eval = __SK_NONE;
 941                         if (psock->sk_redir) {
 942                                 sock_put(psock->sk_redir);
 943                                 psock->sk_redir = NULL;
 944                         }
 945                 }


Thanks for fixing it!
Cong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ