Revision da353fac65fede6b8b4cfe207f0d9408e3121105 authored by Daniel Jordan on 27 October 2021, 21:59:20 UTC, committed by David S. Miller on 28 October 2021, 13:41:20 UTC
sk->sk_err appears to expect a positive value, a convention that ktls doesn't always follow and that leads to memory corruption in other code. For instance, [kworker] tls_encrypt_done(..., err=<negative error from crypto request>) tls_err_abort(.., err) sk->sk_err = err; [task] splice_from_pipe_feed ... tls_sw_do_sendpage if (sk->sk_err) { ret = -sk->sk_err; // ret is positive splice_from_pipe_feed (continued) ret = actor(...) // ret is still positive and interpreted as bytes // written, resulting in underflow of buf->len and // sd->len, leading to huge buf->offset and bogus // addresses computed in later calls to actor() Fix all tls_err_abort() callers to pass a negative error code consistently and centralize the error-prone sign flip there, throwing in a warning to catch future misuse and uninlining the function so it really does only warn once. Cc: stable@vger.kernel.org Fixes: c46234ebb4d1e ("tls: RX path for ktls") Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent a32f07d
File | Mode | Size |
---|---|---|
arm_ffa | ||
arm_scmi | ||
broadcom | ||
efi | ||
imx | ||
meson | ||
psci | ||
smccc | ||
tegra | ||
xilinx | ||
Kconfig | -rw-r--r-- | 11.2 KB |
Makefile | -rw-r--r-- | 1.3 KB |
arm_scpi.c | -rw-r--r-- | 26.2 KB |
arm_sdei.c | -rw-r--r-- | 23.4 KB |
dmi-id.c | -rw-r--r-- | 7.2 KB |
dmi-sysfs.c | -rw-r--r-- | 16.9 KB |
dmi_scan.c | -rw-r--r-- | 29.1 KB |
edd.c | -rw-r--r-- | 19.5 KB |
iscsi_ibft.c | -rw-r--r-- | 20.9 KB |
iscsi_ibft_find.c | -rw-r--r-- | 2.1 KB |
memmap.c | -rw-r--r-- | 11.6 KB |
pcdp.c | -rw-r--r-- | 3.2 KB |
pcdp.h | -rw-r--r-- | 2.5 KB |
qcom_scm-legacy.c | -rw-r--r-- | 6.8 KB |
qcom_scm-smc.c | -rw-r--r-- | 3.7 KB |
qcom_scm.c | -rw-r--r-- | 34.8 KB |
qcom_scm.h | -rw-r--r-- | 4.0 KB |
qemu_fw_cfg.c | -rw-r--r-- | 25.2 KB |
raspberrypi.c | -rw-r--r-- | 9.4 KB |
scpi_pm_domain.c | -rw-r--r-- | 3.7 KB |
stratix10-rsu.c | -rw-r--r-- | 16.2 KB |
stratix10-svc.c | -rw-r--r-- | 31.2 KB |
sysfb.c | -rw-r--r-- | 2.4 KB |
sysfb_simplefb.c | -rw-r--r-- | 3.4 KB |
ti_sci.c | -rw-r--r-- | 98.2 KB |
ti_sci.h | -rw-r--r-- | 53.1 KB |
trusted_foundations.c | -rw-r--r-- | 4.0 KB |
turris-mox-rwtm.c | -rw-r--r-- | 14.0 KB |
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...