| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250730200835.80605-1-okorniev@redhat.com> Date: Wed, 30 Jul 2025 16:08:31 -0400 From: Olga Kornievskaia <okorniev@...hat.com> To: chuck.lever@...cle.com, jlayton@...nel.org, trondmy@...merspace.com, anna.schumaker@...cle.com, hch@....de, sagi@...mberg.me, kch@...dia.com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com Cc: linux-nfs@...r.kernel.org, linux-nvme@...ts.infradead.org, netdev@...r.kernel.org, kernel-tls-handshake@...ts.linux.dev, neil@...wn.name, Dai.Ngo@...cle.com, tom@...pey.com, hare@...e.de, horms@...nel.org, kbusch@...nel.org Subject: [PATCH 0/4] address tls_alert_recv usage by NFS and NvME This is a multi-component patch series: NFS client, NFS server, NvME (target), net. tls_alert_recv() has been originally written to retrieve TLS alert payload out of the msg iterator's kvec buffer. Yet, the callers of tls_alert_recv() have not been careful enough to make sure that msg has always been initialized with a kvec-backed iterator (ie., some times bvec was used). Furthermore, callers didn't account for the fact that the msg iterator's kvec is advanced by sock_recvmsg upon filling up the provided space by the copy. All that lead to the ability to construct a malicious payload that would trigger badness in tls_alert_recv(). This patch series attempts to address it in a couple of steps. First, there are patches for each of the current consumers (NFS server, NFS client, NvME target) of tls_alert_recv to address an immediate problem which I think should be backported. Note, patch#3 is NvME patch that had no testing. Compile only patch. Second, the last patch builds on top of the fixes but changes tls_alert_recv to force the callers to provide the kvec directly in hopes that any future users of tls_alert_recv would be more congnizant of providing location to the actual TLS alert payload. Again note that nvme changes in patch#4 are compile only. Olga Kornievskaia (4): sunrpc: fix handling of server side tls alerts sunrpc: fix client side handling of tls alerts nvmet-tcp: fix handling of tls alerts net/handshake: change tls_alert_recv to receive a kvec drivers/nvme/target/tcp.c | 37 +++++++++++++++----------- include/net/handshake.h | 2 +- net/handshake/alert.c | 6 ++--- net/sunrpc/svcsock.c | 56 ++++++++++++++++++++++++++++----------- net/sunrpc/xprtsock.c | 51 ++++++++++++++++++++++++----------- 5 files changed, 101 insertions(+), 51 deletions(-) -- 2.47.1
Powered by blists - more mailing lists