Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1245950rda; Mon, 23 Oct 2023 07:04:24 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH2GrLFqTjEDjOfDmIOE15HAFgFsZrbCe1OjAeRbs3N6Ex78A8ucPA0xvnDlllaldXtjc69 X-Received: by 2002:a05:6a00:2295:b0:6bd:66ce:21d4 with SMTP id f21-20020a056a00229500b006bd66ce21d4mr7764548pfe.23.1698069864455; Mon, 23 Oct 2023 07:04:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698069864; cv=none; d=google.com; s=arc-20160816; b=cJlyUJkZzFQvV6vEpubfhCrGVoiJE7YgM0pTQiBBaunrhcxOPHwmWG7FeqNZ1D6jUM /F1dnc/G9bNZRDZYeJSsV7DgnEa4O4gL1jUM8fnuJfB9dx4lWQKzB4OsxI4+zLI+JSav eiVgsdNis18PYI9ik2+tYHhpvPAi+ULIPVUqBleiSIQV+Ff5+prC2e09SKRoSn9W0R12 jXw1UD63OF7pmEevQKp0j0XHkAMAaReXzKzO1vIoHjfK/cai9moy0kQuP1GfagwTHSeB pEs1s1YmsHI5WdxQIlFRv+J0aHwgW1rCtCXi0i/2wwsmSfA7d8q5gV6bxg3IuesIkrHX G8Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=AttsWp376NQnIXxJN62Vxb/E06Sd0mfeypAo86cdx2o=; fh=0c5cBMDgxedkQt2GWBKrqZ/V436N8cRJQ/rqzq0g5gQ=; b=KOxcepymHvB55GMTC1/T2QZYcXiRnZrVZznD7pnaAeJuowuBg4EbPVUReu9QNoULg2 t4J+DMFaUBgNY6q1ZlZ6R9r2jI1gFZwMToRoKMH1fg3OtgWMCBOEr0OXRwPUt8TT+SUG 7/BlYpvUDRwNRAI9JHDc/x/ZB5zR6HDFg6q3mjyP/XqimPMSHckoG7AdToFchyjwsWJr M8X0VQQxPEpW7beT0fkKOyjvZeoKTEjzU7me61KAxwbsEO9izoxFCk7gAnRTIg9cLPwT RaFpulU/UPE3rwjYguTEic3KexXRC/8WBycu6EOq5dB8fu+RX6rJijatjxY3YRW8soAC TzgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id g8-20020a635208000000b005ad91e8b473si6676264pgb.626.2023.10.23.07.04.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 07:04:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id D75EC8080E2C; Mon, 23 Oct 2023 07:04:11 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231370AbjJWODx (ORCPT + 99 others); Mon, 23 Oct 2023 10:03:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229491AbjJWODv (ORCPT ); Mon, 23 Oct 2023 10:03:51 -0400 Received: from us-smtp-delivery-44.mimecast.com (unknown [207.211.30.44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6030ECC for ; Mon, 23 Oct 2023 07:03:49 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-447-orEJjE89OeeGCSgho3wybg-1; Mon, 23 Oct 2023 10:03:28 -0400 X-MC-Unique: orEJjE89OeeGCSgho3wybg-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 59E171C11703; Mon, 23 Oct 2023 14:03:14 +0000 (UTC) Received: from hog (unknown [10.39.192.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 01E23111D784; Mon, 23 Oct 2023 14:03:12 +0000 (UTC) Date: Mon, 23 Oct 2023 16:03:11 +0200 From: Sabrina Dubroca To: Hangyu Hua Cc: borisp@nvidia.com, john.fastabend@gmail.com, kuba@kernel.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net: tls: Fix possible NULL-pointer dereference in tls_decrypt_device() and tls_decrypt_sw() Message-ID: References: <20231023080611.19244-1-hbh25y@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231023080611.19244-1-hbh25y@gmail.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 23 Oct 2023 07:04:12 -0700 (PDT) 2023-10-23, 16:06:11 +0800, Hangyu Hua wrote: > tls_rx_one_record can be called in tls_sw_splice_read and tls_sw_read_sock > with msg being NULL. This may lead to null pointer dereferences in > tls_decrypt_device and tls_decrypt_sw. > > Fix this by adding a check. Have you actually hit this NULL dereference? I don't see how it can happen. darg->zc is 0 in both cases, so tls_decrypt_device doesn't call skb_copy_datagram_msg. tls_decrypt_sw will call tls_decrypt_sg with out_iov = &msg->msg_iter (a bogus pointer but no NULL deref yet), and darg->zc is still 0. tls_decrypt_sg skips the use of out_iov/out_sg and allocates clear_skb, and the next place where it would use out_iov is skipped because we have clear_skb. Relevant parts of tls_decrypt_sg: static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov, struct scatterlist *out_sg, struct tls_decrypt_arg *darg) { [...] if (darg->zc && (out_iov || out_sg)) { clear_skb = NULL; [...] } else { darg->zc = false; clear_skb = tls_alloc_clrtxt_skb(sk, skb, rxm->full_len); [...] } [...] if (err < 0) goto exit_free; if (clear_skb) { sg_init_table(sgout, n_sgout); sg_set_buf(&sgout[0], dctx->aad, prot->aad_size); err = skb_to_sgvec(clear_skb, &sgout[1], prot->prepend_size, data_len + prot->tail_size); if (err < 0) goto exit_free; } else if (out_iov) { [...] } else if (out_sg) { memcpy(sgout, out_sg, n_sgout * sizeof(*sgout)); } [...] } -- Sabrina