Revision - da353fa - net/tls: Fix flipped sign in tls_err_abort() calls

Revision da353fac65fede6b8b4cfe207f0d9408e3121105 authored by Daniel Jordan on 27 October 2021, 21:59:20 UTC, committed by David S. Miller on 28 October 2021, 13:41:20 UTC

net/tls: Fix flipped sign in tls_err_abort() calls

sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234ebb4d1e ("tls: RX path for ktls")
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent a32f07d

Files
Changes

Permalinks

File	Mode	Size
Kconfig	-rw-r--r--	8.0 KB
Makefile	-rw-r--r--	2.7 KB
at91_cf.c	-rw-r--r--	10.0 KB
bcm63xx_pcmcia.c	-rw-r--r--	13.3 KB
bcm63xx_pcmcia.h	-rw-r--r--	1.3 KB
cardbus.c	-rw-r--r--	2.8 KB
cirrus.h	-rw-r--r--	5.0 KB
cistpl.c	-rw-r--r--	35.1 KB
cs.c	-rw-r--r--	21.4 KB
cs_internal.h	-rw-r--r--	5.0 KB
db1xxx_ss.c	-rw-r--r--	15.5 KB
ds.c	-rw-r--r--	34.8 KB
electra_cf.c	-rw-r--r--	7.7 KB
i82092.c	-rw-r--r--	15.2 KB
i82092aa.h	-rw-r--r--	804 bytes
i82365.c	-rw-r--r--	37.1 KB
i82365.h	-rw-r--r--	4.9 KB
max1600.c	-rw-r--r--	2.8 KB
max1600.h	-rw-r--r--	577 bytes
o2micro.h	-rw-r--r--	5.9 KB
omap_cf.c	-rw-r--r--	8.6 KB
pcmcia_cis.c	-rw-r--r--	12.6 KB
pcmcia_resource.c	-rw-r--r--	24.1 KB
pd6729.c	-rw-r--r--	18.3 KB
pd6729.h	-rw-r--r--	609 bytes
pxa2xx_balloon3.c	-rw-r--r--	3.4 KB
pxa2xx_base.c	-rw-r--r--	10.3 KB
pxa2xx_base.h	-rw-r--r--	202 bytes
pxa2xx_cm_x255.c	-rw-r--r--	2.9 KB
pxa2xx_cm_x270.c	-rw-r--r--	2.3 KB
pxa2xx_cm_x2xx.c	-rw-r--r--	997 bytes
pxa2xx_colibri.c	-rw-r--r--	4.4 KB
pxa2xx_e740.c	-rw-r--r--	2.9 KB
pxa2xx_hx4700.c	-rw-r--r--	2.9 KB
pxa2xx_mainstone.c	-rw-r--r--	3.0 KB
pxa2xx_palmld.c	-rw-r--r--	2.6 KB
pxa2xx_palmtc.c	-rw-r--r--	3.8 KB
pxa2xx_palmtx.c	-rw-r--r--	2.6 KB
pxa2xx_sharpsl.c	-rw-r--r--	6.9 KB
pxa2xx_stargate2.c	-rw-r--r--	3.2 KB
pxa2xx_trizeps4.c	-rw-r--r--	4.4 KB
pxa2xx_viper.c	-rw-r--r--	4.1 KB
pxa2xx_vpac270.c	-rw-r--r--	3.3 KB
ricoh.h	-rw-r--r--	7.6 KB
rsrc_iodyn.c	-rw-r--r--	3.6 KB
rsrc_mgr.c	-rw-r--r--	1.5 KB
rsrc_nonstatic.c	-rw-r--r--	29.5 KB
sa1100_generic.c	-rw-r--r--	5.9 KB
sa1100_generic.h	-rw-r--r--	890 bytes
sa1100_h3600.c	-rw-r--r--	3.9 KB
sa1100_simpad.c	-rw-r--r--	2.4 KB
sa1111_badge4.c	-rw-r--r--	3.7 KB
sa1111_generic.c	-rw-r--r--	6.8 KB
sa1111_generic.h	-rw-r--r--	880 bytes
sa1111_jornada720.c	-rw-r--r--	3.0 KB
sa1111_lubbock.c	-rw-r--r--	3.4 KB
sa1111_neponset.c	-rw-r--r--	2.0 KB
sa11xx_base.c	-rw-r--r--	7.3 KB
sa11xx_base.h	-rw-r--r--	4.7 KB
soc_common.c	-rw-r--r--	23.1 KB
soc_common.h	-rw-r--r--	5.7 KB
socket_sysfs.c	-rw-r--r--	5.6 KB
tcic.c	-rw-r--r--	23.4 KB
tcic.h	-rw-r--r--	8.0 KB
ti113x.h	-rw-r--r--	27.6 KB
topic.h	-rw-r--r--	5.9 KB
vg468.h	-rw-r--r--	4.1 KB
vrc4171_card.c	-rw-r--r--	17.1 KB
xxs1500_ss.c	-rw-r--r--	7.8 KB
yenta_socket.c	-rw-r--r--	39.4 KB
yenta_socket.h	-rw-r--r--	4.8 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...