Merge branch 'net-tls-fix-scatter-gather-list-issues'

Jakub Kicinski says: ==================== net: tls: fix scatter-gather list issues This series kicked of by a syzbot report fixes three issues around scatter gather handling in the TLS code. First patch fixes a use- -after-free situation which may occur if record was freed on error. This could have already happened in BPF paths, and patch 2 now makes the same condition occur in non-BPF code. Patch 2 fixes the problem spotted by syzbot. If encryption failed we have to clean the end markings from scatter gather list. As suggested by John the patch frees the record entirely and caller may retry copying data from user space buffer again. Third patch fixes a bug in the TLS 1.3 code spotted while working on patch 2. TLS 1.3 may effectively overflow the SG list which leads to the BUG() in sg_page() being triggered. Patch 4 adds a test case which triggers this bug reliably. Next two patches are small cleanups of dead code and code which makes dangerous assumptions. Last but not least two minor improvements to the sockmap tests. Tested: - bpf/test_sockmap - net/tls - syzbot repro (which used error injection, hence no direct selftest is added to preserve it). ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2019-11-28 22:40:30 -0800
committer: David S. Miller <davem@davemloft.net> 2019-11-28 22:40:30 -0800
commit: 2eaa857534b4860dc337496e35f72f50614383b3 (patch)
tree: c221b6c928b70543c9c5d1ba29c60b33448a74c3 /net/tls/tls_sw.c
parent: 81b6b96475ac7a4ebfceae9f16fb3758327adbfe (diff)
parent: e5dc9dd3258098bf8b5ceb75fc3433b41eff618a (diff)
1 files changed, 19 insertions, 13 deletions
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index da9f9ce51e7b..2b2d0bae14a9 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -710,8 +710,7 @@ static int tls_push_record(struct sock *sk, int flags,
 	}
 
 	i = msg_pl->sg.start;
-	sg_chain(rec->sg_aead_in, 2, rec->inplace_crypto ?
-		 &msg_en->sg.data[i] : &msg_pl->sg.data[i]);
+	sg_chain(rec->sg_aead_in, 2, &msg_pl->sg.data[i]);
 
 	i = msg_en->sg.end;
 	sk_msg_iter_var_prev(i);
@@ -771,8 +770,14 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
 
 	policy = !(flags & MSG_SENDPAGE_NOPOLICY);
 	psock = sk_psock_get(sk);
-	if (!psock || !policy)
-		return tls_push_record(sk, flags, record_type);
+	if (!psock || !policy) {
+		err = tls_push_record(sk, flags, record_type);
+		if (err) {
+			*copied -= sk_msg_free(sk, msg);
+			tls_free_open_rec(sk);
+		}
+		return err;
+	}
 more_data:
 	enospc = sk_msg_full(msg);
 	if (psock->eval == __SK_NONE) {
@@ -970,8 +975,6 @@ alloc_encrypted:
 			if (ret)
 				goto fallback_to_reg_send;
 
-			rec->inplace_crypto = 0;
-
 			num_zc++;
 			copied += try_to_copy;
 
@@ -984,7 +987,7 @@ alloc_encrypted:
 					num_async++;
 				else if (ret == -ENOMEM)
 					goto wait_for_memory;
-				else if (ret == -ENOSPC)
+				else if (ctx->open_rec && ret == -ENOSPC)
 					goto rollback_iter;
 				else if (ret != -EAGAIN)
 					goto send_end;
@@ -1053,11 +1056,12 @@ wait_for_memory:
 		ret = sk_stream_wait_memory(sk, &timeo);
 		if (ret) {
 trim_sgl:
-			tls_trim_both_msgs(sk, orig_size);
+			if (ctx->open_rec)
+				tls_trim_both_msgs(sk, orig_size);
 			goto send_end;
 		}
 
-		if (msg_en->sg.size < required_size)
+		if (ctx->open_rec && msg_en->sg.size < required_size)
 			goto alloc_encrypted;
 	}
 
@@ -1169,7 +1173,6 @@ alloc_payload:
 
 		tls_ctx->pending_open_record_frags = true;
 		if (full_record || eor || sk_msg_full(msg_pl)) {
-			rec->inplace_crypto = 0;
 			ret = bpf_exec_tx_verdict(msg_pl, sk, full_record,
 						  record_type, &copied, flags);
 			if (ret) {
@@ -1190,11 +1193,13 @@ wait_for_sndbuf:
 wait_for_memory:
 		ret = sk_stream_wait_memory(sk, &timeo);
 		if (ret) {
-			tls_trim_both_msgs(sk, msg_pl->sg.size);
+			if (ctx->open_rec)
+				tls_trim_both_msgs(sk, msg_pl->sg.size);
 			goto sendpage_end;
 		}
 
-		goto alloc_payload;
+		if (ctx->open_rec)
+			goto alloc_payload;
 	}
 
 	if (num_async) {
@@ -2084,7 +2089,8 @@ void tls_sw_release_resources_tx(struct sock *sk)
 	/* Free up un-sent records in tx_list. First, free
 	 * the partially sent record if any at head of tx_list.
 	 */
-	if (tls_free_partial_record(sk, tls_ctx)) {
+	if (tls_ctx->partially_sent_record) {
+		tls_free_partial_record(sk, tls_ctx);
 		rec = list_first_entry(&ctx->tx_list,
 				       struct tls_rec, list);
 		list_del(&rec->list);
author	David S. Miller <davem@davemloft.net>	2019-11-28 22:40:30 -0800
committer	David S. Miller <davem@davemloft.net>	2019-11-28 22:40:30 -0800
commit	2eaa857534b4860dc337496e35f72f50614383b3 (patch)
tree	c221b6c928b70543c9c5d1ba29c60b33448a74c3 /net/tls/tls_sw.c
parent	81b6b96475ac7a4ebfceae9f16fb3758327adbfe (diff)
parent	e5dc9dd3258098bf8b5ceb75fc3433b41eff618a (diff)