| Message ID | 20220331070428.36111-1-william.xuanziyang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net,v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal | expand |
On Thu, 31 Mar 2022 15:04:28 +0800 Ziyang Xuan wrote: > The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in > tls_set_sw_offload(). The return value of crypto_aead_ivsize() > for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes > memory space will trigger slab-out-of-bounds bug as following: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] > Read of size 16 at addr ffff888114e84e60 by task tls/10911 Reviewed-by: Jakub Kicinski <kuba@kernel.org> Thanks!
Hello: This patch was applied to netdev/net.git (master) by David S. Miller <davem@davemloft.net>: On Thu, 31 Mar 2022 15:04:28 +0800 you wrote: > The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in > tls_set_sw_offload(). The return value of crypto_aead_ivsize() > for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes > memory space will trigger slab-out-of-bounds bug as following: > > ================================================================== > BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] > Read of size 16 at addr ffff888114e84e60 by task tls/10911 > > [...] Here is the summary with links: - [net,v2] net/tls: fix slab-out-of-bounds bug in decrypt_internal https://git.kernel.org/netdev/net/c/9381fe8c849c You are awesome, thank you!
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index 0024a692f0f8..a8976ef95528 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1496,7 +1496,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, if (prot->version == TLS_1_3_VERSION || prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) memcpy(iv + iv_offset, tls_ctx->rx.iv, - crypto_aead_ivsize(ctx->aead_recv)); + prot->iv_size + prot->salt_size); else memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size);
The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario. Fixes: f295b3ae9f59 ("net/tls: Add support of AES128-CCM based ciphers") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> --- v1->v2: - Remove not-required modification. --- net/tls/tls_sw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)