Received: by 10.223.176.5 with SMTP id f5csp3355326wra; Mon, 29 Jan 2018 12:07:29 -0800 (PST) X-Google-Smtp-Source: AH8x224TsKE45/nXfYqwufSkVkmu4Jd+VXkVPvtNToKUFfZODXRLc8ZiKBOLwx965kSThPo5fA0w X-Received: by 10.99.55.5 with SMTP id e5mr22101220pga.237.1517256449082; Mon, 29 Jan 2018 12:07:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517256449; cv=none; d=google.com; s=arc-20160816; b=dfUZlb1a8ycRJ9UoNkfQY73xHyt1pZFaowaA3xJJsbERYtnuB81aj3C5ZDBTJix4Sn IZYsnXXPZdujBIBaQZdJ5lRznC/4K+GWsen/uomFiXLYMJK+SMg3BHwjDzKz4Vf7Aw5G 73qdL2fBSYjLpLIzdMRG4M3gH2nMw+NxIOLjhvDeL4srPlkhapW6vb3M1jKURHMrfl3o DTiJ00kJJUjxw0EyaVXg6I3JIlFuHqijQB95QZwjZpppyxpmuSKjDeaDjCb1bBSZmIht VJ6j0jOAPnEcsHp8LjnRtKrH2vovYihphHmyPtVYRPEjOcgtjiPVcwI08MduUoZ+AS+q 3JzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=a8nrHn9EhQK1/Rrjt4/wVbQK74e8Xuj3vlV/b2LRotY=; b=zwRWfZmo9FZflX4cOkBXvyNQuPXj5v63WQF5PR2F1khJQ+4m+YQcyZeFaAzJMe9k/w rBqcI2lCduAPK7TR1X9xxXADxMtto4r3R2TJypUrzlgEZyqv9HixWXXxFcP6Q1g8+sCn +pF7DdcQKXlWMGv+hFF/enEFDout7AQxvNrONDCeUg5rGBswA3n/wvppfZTWVoX7Zvsb iEypWBwXrVKyACe7Do0hfdEhUm4x6OZPkgXUPNkyHsNJx6mri4P3sUcytiJmZNzj7RwZ 2/afLuBBNdVmrx1SGfFsm3nZW/1/g9f2IOvtHq3TGqRVLNoREOZ/wdDsWaXhqyZsAXuX 9JmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s23si7967956pgo.378.2018.01.29.12.07.14; Mon, 29 Jan 2018 12:07:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752564AbeA2UFS (ORCPT + 99 others); Mon, 29 Jan 2018 15:05:18 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:44684 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752547AbeA2UFP (ORCPT ); Mon, 29 Jan 2018 15:05:15 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 962923021; Mon, 29 Jan 2018 13:10:04 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+904e7cd6c5c741609228@syzkaller.appspotmail.com, Ilya Lesokhin , "David S. Miller" Subject: [PATCH 4.14 54/71] net/tls: Only attach to sockets in ESTABLISHED state Date: Mon, 29 Jan 2018 13:57:22 +0100 Message-Id: <20180129123831.029826349@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123827.271171825@linuxfoundation.org> References: <20180129123827.271171825@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ilya Lesokhin [ Upstream commit d91c3e17f75f218022140dee18cf515292184a8f ] Calling accept on a TCP socket with a TLS ulp attached results in two sockets that share the same ulp context. The ulp context is freed while a socket is destroyed, so after one of the sockets is released, the second second will trigger a use after free when it tries to access the ulp context attached to it. We restrict the TLS ulp to sockets in ESTABLISHED state to prevent the scenario above. Fixes: 3c4d7559159b ("tls: kernel TLS support") Reported-by: syzbot+904e7cd6c5c741609228@syzkaller.appspotmail.com Signed-off-by: Ilya Lesokhin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tls/tls_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -444,6 +444,15 @@ static int tls_init(struct sock *sk) struct tls_context *ctx; int rc = 0; + /* The TLS ulp is currently supported only for TCP sockets + * in ESTABLISHED state. + * Supporting sockets in LISTEN state will require us + * to modify the accept implementation to clone rather then + * share the ulp context. + */ + if (sk->sk_state != TCP_ESTABLISHED) + return -ENOTSUPP; + /* allocate tls context */ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); if (!ctx) {