Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp722213imm;
        Sat, 26 May 2018 09:28:21 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqEebvlw807xiCbAdz6Ohj/f6X5el/t5v+uIRCeewOkGbwKGGPavmhuSLQuR4jJX8L8Hp3U
X-Received: by 2002:a17:902:bd02:: with SMTP id p2-v6mr5893577pls.218.1527352101873;
        Sat, 26 May 2018 09:28:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527352101; cv=none;
        d=google.com; s=arc-20160816;
        b=DBewFajKAMjptNBAxc7V1JSlUgMCLXQPPqgph6NT6FcETz4H1nj4e7ls5TYJtZlTIY
         J/XVz7bYYkvCbJkN3rUhtVEjL5T2nndt8zgRWIbOtdSOIqzf4NHDrLjYIySmHcjMycg6
         bGCqj4wGXvGyGL0ZPPKYYZiO17JKbJF5rledcaPVpQJt2+mclEbtE+/htSK6+wn5Zk6r
         uTQFEwzXL8MLaRTdy83YdQr+/SEqDwm+Y1tfBFHAjjxLedM8zWmH0ZFjNryJbok8TmFn
         rYRcCV41RE2mhWRKfXtalicnm953ake2swyc6a+I0iWJ5YnW6VuuS5RQ2euMF5tvfp8O
         K1mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=R5mYYX1bTgM3IrcpixWToLVR21wvm84jxgyrcJjkVNM=;
        b=s8qgSxXiB64hU/ZteD1cEo1IIDDnnOHPG3xudQ2mBEQrXx03a66p85ILFYWRR+AApB
         /LPZqYbKgllOnpMx8ehNfLZYN5m5ScP2yjDcP0l6rbGDk3hnGXQaWBLQ4Afh/fqN1wnQ
         FexMUEzk1OspJSced2HHIVNyV1SnS03HBqCCLPPlx8rT9vKGyqRGn95SVev3B5PZCGUM
         /niw7oEnJyXJlqwr9vEEXA7AtAloenhhnp21DaK9tTSByFsVpMcrBbeTu9ac2FLxtPF2
         ErxaXLcYjgPUy22IAZxJEUedQ1+1Au0N4OB4sSD1YpYGWfmeQMRHa0g0xlRFWptn1+mD
         PV9A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a3-v6si16254569pgc.300.2018.05.26.09.28.06;
        Sat, 26 May 2018 09:28:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1032195AbeEZQ1j (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Sat, 26 May 2018 12:27:39 -0400
Received: from orcrist.hmeau.com ([104.223.48.154]:39738 "EHLO
        deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1032091AbeEZQ1i (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 26 May 2018 12:27:38 -0400
Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar)
        by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian))
        id 1fMc2W-0001oi-3l; Sun, 27 May 2018 00:27:32 +0800
Received: from herbert by gondobar with local (Exim 4.89)
        (envelope-from <herbert@gondor.apana.org.au>)
        id 1fMc2T-0003tL-5h; Sun, 27 May 2018 00:27:29 +0800
Date:   Sun, 27 May 2018 00:27:29 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, Harsh Jain <harsh@chelsio.com>,
        "David S. Miller" <davem@davemloft.net>,
        Atul Gupta <atul.gupta@chelsio.com>,
        Michael Werner <werner@chelsio.com>,
        Casey Leedom <leedom@chelsio.com>,
        "open list:CXGB4 CRYPTO DRIVER (chcr)" <linux-crypto@vger.kernel.org>,
        open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] crypto: chtls - fix a missing-check bug
Message-ID: <20180526162729.vwxxnr6po36ipz7h@gondor.apana.org.au>
References: <1526673338-486-1-git-send-email-wang6495@umn.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1526673338-486-1-git-send-email-wang6495@umn.edu>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 18, 2018 at 02:55:35PM -0500, Wenwen Wang wrote:
> In do_chtls_setsockopt(), the tls crypto info is first copied from the
> poiner 'optval' in userspace and saved to 'tmp_crypto_info'. Then the
> 'version' of the crypto info is checked. If the version is not as expected,
> i.e., TLS_1_2_VERSION, error code -ENOTSUPP is returned to indicate that
> the provided crypto info is not supported yet. Then, the 'cipher_type'
> field of the 'tmp_crypto_info' is also checked to see if it is
> TLS_CIPHER_AES_GCM_128. If it is, the whole struct of
> tls12_crypto_info_aes_gcm_128 is copied from the pointer 'optval' and then
> the function chtls_setkey() is invoked to set the key.
> 
> Given that the 'optval' pointer resides in userspace, a malicious userspace
> process can race to change the data pointed by 'optval' between the two
> copies. For example, a user can provide a crypto info with TLS_1_2_VERSION
> and TLS_CIPHER_AES_GCM_128. After the first copy, the user can modify the
> 'version' and the 'cipher_type' fields to any versions and/or cipher types
> that are not allowed. This way, the user can bypass the checks, inject
> bad data to the kernel, cause chtls_setkey() to set a wrong key or other
> issues.
> 
> This patch reuses the data copied in the first try so as to ensure these
> checks will not be bypassed.
> 
> Signed-off-by: Wenwen Wang <wang6495@umn.edu>

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt