Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp2458615rda; Wed, 25 Oct 2023 03:28:25 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGwl8m9L8Je7QgCFkDPb1XD9YR7sj4Txc/kBLAe+ZczUZTA1Cpm1yilLKMaEcmdb4k5/4+4 X-Received: by 2002:a05:620a:658f:b0:76d:52a:c93b with SMTP id qd15-20020a05620a658f00b0076d052ac93bmr11505525qkn.73.1698229704745; Wed, 25 Oct 2023 03:28:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698229704; cv=none; d=google.com; s=arc-20160816; b=YCmKHXlDiJkrFAEjJxytVgMTaZllm/B1qi5bDTgFEgD9df4QogWzuTyedLfRTfpHKV qQtMRVJcMUlTtH/ahiOltxeEpQNgCVTfeNEluhJpBsg+qiCce8E1Suzg0tvv73svw8b+ klVylVbXielKJyS4L9MXNryIRMR6QDjR/t0KaDr+UKXkx47+hMWoLBCgqtUAeddFnCmF JRshe9B2T/oAAuXAEwEoPXeWQVhwG3HT+gINl9ezclscoG/a3PRV5F+Csnuuvdujp/o8 rC06R/OWT7wlIbM1x2F/nNZRxYsdxaIrIOaaxWNyRkhZZvC3cJMVFFplHr3c6v4FRjHe tuLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=tQagCiOe25hZdfw1e6XIuCuq9U+WXCNRKcMGEKkx16o=; fh=mHsiqbk+USVj5fDOJD9a9D5ifWUfYsGiejeATVxmQR8=; b=LAfrzDPy5+K4XxyuEoIlUhH09MMiSejC3cRknS0j2B+E/0d7jUKi4uV5Et9apNPeEG 1397Ukz5J69+VF7dMVrd4Ax0n7mHs2Ew2aSd6QOUh7rk4DwSqfwW7Bs/P75wXSQp5PdK u6xvc75A+pUmofwW8NElfl+eABEtnY1InVn7CmHZS0U2MxkEAWO126N53NgV+x25PmRq Cl1Hd9SKHF/nM7Zh9ReZetq1wUOYY71eReNnd6asz7Ez9FSHcRb2fWL/xmk9wJy8ZSjA yaM9zPtAg4MistWzI5OWbWX+84evVlDujw9I4aWcmsmCvgBDXIEwJyPcOmX1I7ZymDeD fnbQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id a207-20020a0dd8d8000000b005a7c1d0303fsi11303091ywe.105.2023.10.25.03.28.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Oct 2023 03:28:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 6744C802EE72; Wed, 25 Oct 2023 03:28:20 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234101AbjJYK2O (ORCPT + 99 others); Wed, 25 Oct 2023 06:28:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234404AbjJYK1R (ORCPT ); Wed, 25 Oct 2023 06:27:17 -0400 Received: from us-smtp-delivery-44.mimecast.com (us-smtp-delivery-44.mimecast.com [205.139.111.44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EEE2BB for ; Wed, 25 Oct 2023 03:27:15 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-148-B-UoJyzDOqqdZRdFYbzjxw-1; Wed, 25 Oct 2023 06:27:09 -0400 X-MC-Unique: B-UoJyzDOqqdZRdFYbzjxw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5D925891F2F; Wed, 25 Oct 2023 10:27:08 +0000 (UTC) Received: from hog (unknown [10.39.192.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1780A25C0; Wed, 25 Oct 2023 10:27:06 +0000 (UTC) Date: Wed, 25 Oct 2023 12:27:05 +0200 From: Sabrina Dubroca To: Hangyu Hua , kuba@kernel.org Cc: borisp@nvidia.com, john.fastabend@gmail.com, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net: tls: Fix possible NULL-pointer dereference in tls_decrypt_device() and tls_decrypt_sw() Message-ID: References: <20231023080611.19244-1-hbh25y@gmail.com> <120e6c2c-6122-41db-8c46-7753e9659c70@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <120e6c2c-6122-41db-8c46-7753e9659c70@gmail.com> X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1 X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 25 Oct 2023 03:28:20 -0700 (PDT) 2023-10-24, 10:17:08 +0800, Hangyu Hua wrote: > On 23/10/2023 22:03, Sabrina Dubroca wrote: > > 2023-10-23, 16:06:11 +0800, Hangyu Hua wrote: > > > tls_rx_one_record can be called in tls_sw_splice_read and tls_sw_read_sock > > > with msg being NULL. This may lead to null pointer dereferences in > > > tls_decrypt_device and tls_decrypt_sw. > > > > > > Fix this by adding a check. > > > > Have you actually hit this NULL dereference? I don't see how it can > > happen. > > > > darg->zc is 0 in both cases, so tls_decrypt_device doesn't call > > skb_copy_datagram_msg. > > > > tls_decrypt_sw will call tls_decrypt_sg with out_iov = &msg->msg_iter > > (a bogus pointer but no NULL deref yet), and darg->zc is still > > 0. tls_decrypt_sg skips the use of out_iov/out_sg and allocates > > clear_skb, and the next place where it would use out_iov is skipped > > because we have clear_skb. > > My bad. I only checked &msg->msg_iter's address in tls_decrypt_sw and found > it was wrong. Do I need to make a new patch to fix the harmless bogus > pointer? I don't think that's necessary, but maybe it would avoid people trying to "fix" this code in the future. Jakub, WDYT? -- Sabrina