[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250730200835.80605-1-okorniev@redhat.com>
Date: Wed, 30 Jul 2025 16:08:31 -0400
From: Olga Kornievskaia <okorniev@...hat.com>
To: chuck.lever@...cle.com,
jlayton@...nel.org,
trondmy@...merspace.com,
anna.schumaker@...cle.com,
hch@....de,
sagi@...mberg.me,
kch@...dia.com,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com
Cc: linux-nfs@...r.kernel.org,
linux-nvme@...ts.infradead.org,
netdev@...r.kernel.org,
kernel-tls-handshake@...ts.linux.dev,
neil@...wn.name,
Dai.Ngo@...cle.com,
tom@...pey.com,
hare@...e.de,
horms@...nel.org,
kbusch@...nel.org
Subject: [PATCH 0/4] address tls_alert_recv usage by NFS and NvME
This is a multi-component patch series: NFS client, NFS server,
NvME (target), net.
tls_alert_recv() has been originally written to retrieve TLS alert
payload out of the msg iterator's kvec buffer. Yet, the callers of
tls_alert_recv() have not been careful enough to make sure that
msg has always been initialized with a kvec-backed iterator (ie.,
some times bvec was used). Furthermore, callers didn't account
for the fact that the msg iterator's kvec is advanced by sock_recvmsg
upon filling up the provided space by the copy. All that lead to
the ability to construct a malicious payload that would trigger
badness in tls_alert_recv().
This patch series attempts to address it in a couple of steps.
First, there are patches for each of the current consumers (NFS
server, NFS client, NvME target) of tls_alert_recv to address
an immediate problem which I think should be backported.
Note, patch#3 is NvME patch that had no testing. Compile only patch.
Second, the last patch builds on top of the fixes but changes
tls_alert_recv to force the callers to provide the kvec directly
in hopes that any future users of tls_alert_recv would be more
congnizant of providing location to the actual TLS alert payload.
Again note that nvme changes in patch#4 are compile only.
Olga Kornievskaia (4):
sunrpc: fix handling of server side tls alerts
sunrpc: fix client side handling of tls alerts
nvmet-tcp: fix handling of tls alerts
net/handshake: change tls_alert_recv to receive a kvec
drivers/nvme/target/tcp.c | 37 +++++++++++++++-----------
include/net/handshake.h | 2 +-
net/handshake/alert.c | 6 ++---
net/sunrpc/svcsock.c | 56 ++++++++++++++++++++++++++++-----------
net/sunrpc/xprtsock.c | 51 ++++++++++++++++++++++++-----------
5 files changed, 101 insertions(+), 51 deletions(-)
--
2.47.1
Powered by blists - more mailing lists