Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/net-tls-fix-possible-race-condition-between-do_tls_g.patch b/queue-5.4/net-tls-fix-possible-race-condition-between-do_tls_g.patch
new file mode 100644 (file)
index 0000000..a941c03
--- /dev/null
+++ b/queue-5.4/net-tls-fix-possible-race-condition-between-do_tls_g.patch
@@ -0,0 +1,81 @@
+From 4192ca1e3230eaee9b9d87b0344db99063701946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Mar 2023 05:30:32 +0000
+Subject: net: tls: fix possible race condition between
+ do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream.
+
+ctx->crypto_send.info is not protected by lock_sock in
+do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
+and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
+or null-deref.
+
+More discussion:  https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 7aba4ee77aba3..cb51a2f46b11d 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -371,13 +371,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
+                       rc = -EINVAL;
+                       goto out;
+               }
+-              lock_sock(sk);
+               memcpy(crypto_info_aes_gcm_128->iv,
+                      ctx->tx.iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+                      TLS_CIPHER_AES_GCM_128_IV_SIZE);
+               memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->tx.rec_seq,
+                      TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+-              release_sock(sk);
+               if (copy_to_user(optval,
+                                crypto_info_aes_gcm_128,
+                                sizeof(*crypto_info_aes_gcm_128)))
+@@ -395,13 +393,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
+                       rc = -EINVAL;
+                       goto out;
+               }
+-              lock_sock(sk);
+               memcpy(crypto_info_aes_gcm_256->iv,
+                      ctx->tx.iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
+                      TLS_CIPHER_AES_GCM_256_IV_SIZE);
+               memcpy(crypto_info_aes_gcm_256->rec_seq, ctx->tx.rec_seq,
+                      TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+-              release_sock(sk);
+               if (copy_to_user(optval,
+                                crypto_info_aes_gcm_256,
+                                sizeof(*crypto_info_aes_gcm_256)))
+@@ -421,6 +417,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+ {
+       int rc = 0;
+ 
++      lock_sock(sk);
++
+       switch (optname) {
+       case TLS_TX:
+               rc = do_tls_getsockopt_tx(sk, optval, optlen);
+@@ -429,6 +427,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+               rc = -ENOPROTOOPT;
+               break;
+       }
++
++      release_sock(sk);
++
+       return rc;
+ }
+ 
+-- 
+2.39.2
+

diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644 (file)
index 0000000..9ab4e5e
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1 @@
+net-tls-fix-possible-race-condition-between-do_tls_g.patch