Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1070020rda; Mon, 23 Oct 2023 01:06:49 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHlHScOn3NOrI7gcG0VAZU2hGG4CEcVdXUiaok84WXAVJ2acdj2h+dByJCaNainPZdW7mpD X-Received: by 2002:a17:90a:134f:b0:27d:1df4:2920 with SMTP id y15-20020a17090a134f00b0027d1df42920mr7616095pjf.34.1698048409436; Mon, 23 Oct 2023 01:06:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698048409; cv=none; d=google.com; s=arc-20160816; b=ZUgJmNYNssKXI360QTZV44rFsgEt2OEtDog/dDcWLRyQ3k+sWsWGE1gP4Rs6B3sVdq n7me1j31oXsD6DXtLG5L6ZLmfvL+Xl4Ucnosi54PDxk4jie85WwOrR6L46uJaPOOJrcR xd090PDFVTPwMLJSsyaG7/yjwXz/mFMHnaBRCo6xQJoUe56QcGFqKJCnsl6d5HgNmm5v DDRzCOEvuexQk1xsBPWbg2BFGaRIvIKJIZxUa5lVjbquxlNv5uFwMY2WrfHRWIZkos5G aFK5sLsuTmyGc8XWc9vJTTbUAWk8/P4eCbL4pUl/uiduQ0IVg0TgN5JojYXDd1c6iwCO Dntw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qRIXdf5CP5zvIEAZi7GHLHlgb7w/UotV/3iHHaEc8qo=; fh=aH/vAoxnEPQSJKooq4c4uO1PsTW7OfXXbVBVgT2SSgM=; b=ZXuMn2WIxeHce6HPuI9Du+HnLggq0sarh/LPVOv0ML7D6ilDHPSQRSIL+Swfuw1rhH QsD5a/pQbLOQuSyJb1K6q9bJN3N7REFd/Fb33jVPswZ/yVLABGJhP4mtt1BQqa7ixlfD CdpA2iNk2OQMJ9KfkKjiRUc/GwXU8CkZBF4YZ//m6p9v99tVKOR8X5yr/M0/8ZlgHmOm xo+L+UqyMyOzUBgF8d0lHtxJw6yIMsgAhl4Xy7JDR1aIxwPLIBmi7WH6iw8DA1LYyklq gi8z1y+M+p02nDF8sYSRBOeil8uoHjwEELGyjhFIlJES+wFiD18Cc+OxlWJMzjuHtT6P 1H3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TVXDWHT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id ip1-20020a17090b314100b002597ed3cc4fsi6129302pjb.189.2023.10.23.01.06.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 01:06:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TVXDWHT0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 0A2C3805DEDD; Mon, 23 Oct 2023 01:06:47 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229491AbjJWIGl (ORCPT + 99 others); Mon, 23 Oct 2023 04:06:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229463AbjJWIGi (ORCPT ); Mon, 23 Oct 2023 04:06:38 -0400 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 573D6A6; Mon, 23 Oct 2023 01:06:36 -0700 (PDT) Received: by mail-pj1-x1043.google.com with SMTP id 98e67ed59e1d1-27d8a1aed37so1006501a91.1; Mon, 23 Oct 2023 01:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698048396; x=1698653196; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qRIXdf5CP5zvIEAZi7GHLHlgb7w/UotV/3iHHaEc8qo=; b=TVXDWHT0PvaM8OfkV0TrTCQrxE91NP01J2YxpQjWuPF9Tcz+wpJnVv3dozCz/zGP74 kv1qXO7WD5rrJjjtHMeahvZtgPTTySKYE18AOHR/aV3Jem/QcnFfdqMg57uiNicfuN7K vRxTkDbLiyda5tAs1FADNe1o9mzGLCINTb1q1KoTUQ4Q1/7NzomVys2JA/+v6sIlJ9Z0 nefdhpGJ7OgoUIfx3d+HHzyV0LK42UHzzxUVWBMX7eBPfUMZHDIUFwITA0eJ2rSRxYXp 8VCB7f5oTt9C1V1lBmOCTiohex8cjEUjsIxXLHaupr5YFV2Rc5hu2qGRh404QfRoNl86 UrDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698048396; x=1698653196; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qRIXdf5CP5zvIEAZi7GHLHlgb7w/UotV/3iHHaEc8qo=; b=dxm+Z++BZ8rhqnOI+8OJG/x4GFCGxNkfYUs8PeOIk8sIuWssqzgVUUQQJRUiL2RKeN 52u/Wb0sHs3yzdM2tMMS0IMoWo/AHUNd/KffdXJcxJteNmhWJKtOzmWlRywQxM3nGGB4 wLX7ENhp026bKExGdt9PsMJkmh5j9m+M42xF+AB6Owm0Zn8JXlvnNMHwNpiDhsD/rXyr 6VRzGLNehkNkMXqWKfuQsPnMrLEH1siYE0Reg0AGF/TqPCKDPJkPEsq0izyB0MeXJisZ wEP8A28+5gtisOD4iHwFmCWJUK05ORNtoAZyLPRxxBH4di12I4xHe2lRSR+EM8vftySP Q7dg== X-Gm-Message-State: AOJu0YzNLZ63vwC4smQEYRnwv/dAGmtGb5hl3WCYeXuJdggeoY6LqqZO ba45cp5NLggb8Fz+Zjtnt/JBEp4g0xWkHVM8 X-Received: by 2002:a17:903:3313:b0:1c0:bf60:ba82 with SMTP id jk19-20020a170903331300b001c0bf60ba82mr7867245plb.5.1698048395706; Mon, 23 Oct 2023 01:06:35 -0700 (PDT) Received: from hbh25y.mshome.net ([103.114.158.1]) by smtp.gmail.com with ESMTPSA id b16-20020a170902d51000b001c9b8f76a89sm5422634plg.82.2023.10.23.01.06.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 01:06:35 -0700 (PDT) From: Hangyu Hua To: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Hangyu Hua Subject: [PATCH] net: tls: Fix possible NULL-pointer dereference in tls_decrypt_device() and tls_decrypt_sw() Date: Mon, 23 Oct 2023 16:06:11 +0800 Message-Id: <20231023080611.19244-1-hbh25y@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Mon, 23 Oct 2023 01:06:47 -0700 (PDT) tls_rx_one_record can be called in tls_sw_splice_read and tls_sw_read_sock with msg being NULL. This may lead to null pointer dereferences in tls_decrypt_device and tls_decrypt_sw. Fix this by adding a check. Fixes: dd47ed3620e6 ("tls: rx: factor SW handling out of tls_rx_one_record()") Signed-off-by: Hangyu Hua --- net/tls/tls_sw.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index e9d1e83a859d..411bf148f707 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1612,7 +1612,11 @@ tls_decrypt_sw(struct sock *sk, struct tls_context *tls_ctx, struct strp_msg *rxm; int pad, err; - err = tls_decrypt_sg(sk, &msg->msg_iter, NULL, darg); + if (msg == NULL) + err = tls_decrypt_sg(sk, NULL, NULL, darg); + else + err = tls_decrypt_sg(sk, &msg->msg_iter, NULL, darg); + if (err < 0) { if (err == -EBADMSG) TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSDECRYPTERROR); @@ -1686,7 +1690,8 @@ tls_decrypt_device(struct sock *sk, struct msghdr *msg, off = rxm->offset + prot->prepend_size; len = rxm->full_len - prot->overhead_size; - err = skb_copy_datagram_msg(darg->skb, off, msg, len); + if (msg != NULL) + err = skb_copy_datagram_msg(darg->skb, off, msg, len); if (err) return err; } -- 2.34.1