| From 17364488bd20034f0cb2b31325049ed387e8bc49 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 31 Mar 2022 15:04:28 +0800 |
| Subject: net/tls: fix slab-out-of-bounds bug in decrypt_internal |
| |
| From: Ziyang Xuan <william.xuanziyang@huawei.com> |
| |
| [ Upstream commit 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 ] |
| |
| The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in |
| tls_set_sw_offload(). The return value of crypto_aead_ivsize() |
| for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes |
| memory space will trigger slab-out-of-bounds bug as following: |
| |
| ================================================================== |
| BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] |
| Read of size 16 at addr ffff888114e84e60 by task tls/10911 |
| |
| Call Trace: |
| <TASK> |
| dump_stack_lvl+0x34/0x44 |
| print_report.cold+0x5e/0x5db |
| ? decrypt_internal+0x385/0xc40 [tls] |
| kasan_report+0xab/0x120 |
| ? decrypt_internal+0x385/0xc40 [tls] |
| kasan_check_range+0xf9/0x1e0 |
| memcpy+0x20/0x60 |
| decrypt_internal+0x385/0xc40 [tls] |
| ? tls_get_rec+0x2e0/0x2e0 [tls] |
| ? process_rx_list+0x1a5/0x420 [tls] |
| ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] |
| decrypt_skb_update+0x9d/0x400 [tls] |
| tls_sw_recvmsg+0x3c8/0xb50 [tls] |
| |
| Allocated by task 10911: |
| kasan_save_stack+0x1e/0x40 |
| __kasan_kmalloc+0x81/0xa0 |
| tls_set_sw_offload+0x2eb/0xa20 [tls] |
| tls_setsockopt+0x68c/0x700 [tls] |
| __sys_setsockopt+0xfe/0x1b0 |
| |
| Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size |
| when memcpy() iv value in TLS_1_3_VERSION scenario. |
| |
| Fixes: f295b3ae9f59 ("net/tls: Add support of AES128-CCM based ciphers") |
| Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> |
| Reviewed-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/tls/tls_sw.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c |
| index dfe623a4e72f..3aecd770ef99 100644 |
| --- a/net/tls/tls_sw.c |
| +++ b/net/tls/tls_sw.c |
| @@ -1495,7 +1495,7 @@ static int decrypt_internal(struct sock *sk, struct sk_buff *skb, |
| if (prot->version == TLS_1_3_VERSION || |
| prot->cipher_type == TLS_CIPHER_CHACHA20_POLY1305) |
| memcpy(iv + iv_offset, tls_ctx->rx.iv, |
| - crypto_aead_ivsize(ctx->aead_recv)); |
| + prot->iv_size + prot->salt_size); |
| else |
| memcpy(iv + iv_offset, tls_ctx->rx.iv, prot->salt_size); |
| |
| -- |
| 2.35.1 |
| |