Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp336656yba; Sat, 4 May 2019 03:30:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqxq0OIj+tKszp+dGykf5F09AI3NA1EK+N52GP3+MfqNSLLP1LJ2NN1x0ctKWOJ3RfGqHi91 X-Received: by 2002:a17:902:bc85:: with SMTP id bb5mr17836716plb.310.1556965819464; Sat, 04 May 2019 03:30:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556965819; cv=none; d=google.com; s=arc-20160816; b=q+jyVRU81n2UvnSayxwBnohoIVWz0MqItsbwoAE6E14uk4HBBWniMsov1oCJFyu87V y1KsXujtEKgqK8S4xhs2rahVnzyVfpezkXNNcvnucKyojYLgW0DkD5Fyy22AwVKwl3Ls rE0ijt1RsZDGIOIkATk+ca6o9sPhF53kMvNOzxwG1l3lgNSRjEq2giC0AgWYBpOtOv2/ sRUT3AanqsPq/njg/lKlXdiMUQZ2KTaMWMoGnmkxK41THBUFHzGfiDOTHfd092HXaawW byjxTdyL6TyDab4wAEXqr17WMFzm7VcVes07nnSLC506Ey/U/eFGpoFArw5BngoIOyQ7 s5Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=L3U8Nwi5iDe8qPjxBtF/7YuddrxS7nvBMNTZpJjwzvg=; b=dQpyfYc9gKitgEUZSlMAAJMDhiXsd2S9CNHRqmgN0lmATgCV1avuyYrS5SkSM/5g8o 2FaS2/Hjeebr1AswqDcubpU9J8Rt14hxaiTXJXxMPk+G9zeLmFmKDp7S04JSkq3eMaVM wMRjHnWzdy8n17y9q+IDc9OJGCfUjSDmghrLFFARDefWpd93xtoGE2PKQD1nEY7i1urK wNpeeBBu2gTegcgU4ggh3ps8bQIh6G2gmmTksMvSHaEGosbqLcH3CuWGLkPsvUt51mtq qtjQ68njoNL7Nu8bYUCTQKYeH9SFe80WR+k7PQrbr7hDBQJIR7N4VC1Ni+M0qV6Ee/8F W4uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rsLLW8Fc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h4si6337218pgc.298.2019.05.04.03.30.04; Sat, 04 May 2019 03:30:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=rsLLW8Fc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728187AbfEDK12 (ORCPT + 99 others); Sat, 4 May 2019 06:27:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:37598 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728156AbfEDK10 (ORCPT ); Sat, 4 May 2019 06:27:26 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F153B20859; Sat, 4 May 2019 10:27:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965645; bh=oyxowGJZUWZSwIngobzJpxJkdNTsS5uLUzAv/L0Q1vE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rsLLW8FcjmEjJ6LfwxY4UqVyijJneLjTgIRN8FUWkpFmGmfnEDCNHW1G7LxNEgILU umRBgfwN1iFaRSH2a+U1yNeknyxQqZmGBs6R7pJxfY8aTLhRsqIeg9DF1nTXJU4YEO Grb/3/42an8mee2Rd9lwAnWbijzbc5ilfnIXGjuY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jakub Kicinski , John Hurley , "David S. Miller" Subject: [PATCH 4.19 18/23] net/tls: dont copy negative amounts of data in reencrypt Date: Sat, 4 May 2019 12:25:20 +0200 Message-Id: <20190504102452.122933007@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102451.512405835@linuxfoundation.org> References: <20190504102451.512405835@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jakub Kicinski [ Upstream commit 97e1caa517e22d62a283b876fb8aa5f4672c83dd ] There is no guarantee the record starts before the skb frags. If we don't check for this condition copy amount will get negative, leading to reads and writes to random memory locations. Familiar hilarity ensues. Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload") Signed-off-by: Jakub Kicinski Reviewed-by: John Hurley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tls/tls_device.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) --- a/net/tls/tls_device.c +++ b/net/tls/tls_device.c @@ -600,14 +600,16 @@ static int tls_device_reencrypt(struct s else err = 0; - copy = min_t(int, skb_pagelen(skb) - offset, - rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); + if (skb_pagelen(skb) > offset) { + copy = min_t(int, skb_pagelen(skb) - offset, + rxm->full_len - TLS_CIPHER_AES_GCM_128_TAG_SIZE); - if (skb->decrypted) - skb_store_bits(skb, offset, buf, copy); + if (skb->decrypted) + skb_store_bits(skb, offset, buf, copy); - offset += copy; - buf += copy; + offset += copy; + buf += copy; + } skb_walk_frags(skb, skb_iter) { copy = min_t(int, skb_iter->len,