[thirdparty/kernel/stable-queue.git] / releases / 5.0.10 / net-tls-prevent-bad-memory-access-in-tls_is_sk_tx_device_offloaded.patch

From foo@baz Sat Apr 20 16:43:09 CEST 2019
From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Mon, 8 Apr 2019 17:59:50 -0700
Subject: net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()

From: Jakub Kicinski <jakub.kicinski@netronome.com>

[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]

Unlike '&&' operator, the '&' does not have short-circuit
evaluation semantics.  IOW both sides of the operator always
get evaluated.  Fix the wrong operator in
tls_is_sk_tx_device_offloaded(), which would lead to
out-of-bounds access for for non-full sockets.

Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tls.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -366,7 +366,7 @@ tls_validate_xmit_skb(struct sock *sk, s
 static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
 {
 #ifdef CONFIG_SOCK_VALIDATE_XMIT
-	return sk_fullsock(sk) &
+	return sk_fullsock(sk) &&
 	       (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
 	       &tls_validate_xmit_skb);
 #else
Commit	Line	Data
0ee3da53 GKH	1	From foo@baz Sat Apr 20 16:43:09 CEST 2019
	2	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	3	Date: Mon, 8 Apr 2019 17:59:50 -0700
	4	Subject: net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
	5
	6	From: Jakub Kicinski <jakub.kicinski@netronome.com>
	7
	8	[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]
	9
	10	Unlike '&&' operator, the '&' does not have short-circuit
	11	evaluation semantics. IOW both sides of the operator always
	12	get evaluated. Fix the wrong operator in
	13	tls_is_sk_tx_device_offloaded(), which would lead to
	14	out-of-bounds access for for non-full sockets.
	15
	16	Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
	17	Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
	18	Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
	19	Reviewed-by: Simon Horman <simon.horman@netronome.com>
	20	Signed-off-by: David S. Miller <davem@davemloft.net>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	---
	23	include/net/tls.h \| 2 +-
	24	1 file changed, 1 insertion(+), 1 deletion(-)
	25
	26	--- a/include/net/tls.h
	27	+++ b/include/net/tls.h
	28	@@ -366,7 +366,7 @@ tls_validate_xmit_skb(struct sock *sk, s
	29	static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
	30	{
	31	#ifdef CONFIG_SOCK_VALIDATE_XMIT
	32	- return sk_fullsock(sk) &
	33	+ return sk_fullsock(sk) &&
	34	(smp_load_acquire(&sk->sk_validate_xmit_skb) ==
	35	&tls_validate_xmit_skb);
	36	#else