From d4136628be06437153dda97e639f57af9895fad2 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Mon, 24 Jul 2023 08:31:12 +0000 Subject: [PATCH] net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466} --- ...ible-race-condition-between-do_tls_g.patch | 83 +++++++++++++++++++ SPECS/kernel.spec | 24 ++++-- 2 files changed, 98 insertions(+), 9 deletions(-) create mode 100644 SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch diff --git a/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch b/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch new file mode 100644 index 0000000..7cd33b7 --- /dev/null +++ b/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch @@ -0,0 +1,83 @@ +From f83f793e1fac3df2dda737ab857099e27b983440 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Wed, 19 Jul 2023 22:52:35 +0000 +Subject: [PATCH 1/1] net: tls: fix possible race condition between + do_tls_getsockopt_conf() and do_tls_setsockopt_conf() + +ctx->crypto_send.info is not protected by lock_sock in +do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf() +and error paths of do_tls_setsockopt_conf() may lead to a use-after-free +or null-deref. + +More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/ + +Fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com +Signed-off-by: Jakub Kicinski +(commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream) + +Conflicts: + net/tls/tls_main.c + +CVE: CVE-2023-28466 +Signed-off-by: Mridula Shastry +Reviewed-by: Bert Barbe +--- + net/tls/tls_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index a4ca1bfaa..92909eeca 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aes_gcm_128->iv, + cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq, + TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aes_gcm_128, + sizeof(*crypto_info_aes_gcm_128))) +@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval, + rc = -EINVAL; + goto out; + } +- lock_sock(sk); + memcpy(crypto_info_aes_gcm_256->iv, + cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE, + TLS_CIPHER_AES_GCM_256_IV_SIZE); + memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq, + TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE); +- release_sock(sk); + if (copy_to_user(optval, + crypto_info_aes_gcm_256, + sizeof(*crypto_info_aes_gcm_256))) +@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + { + int rc = 0; + ++ lock_sock(sk); ++ + switch (optname) { + case TLS_TX: + case TLS_RX: +@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname, + rc = -ENOPROTOOPT; + break; + } ++ ++ release_sock(sk); ++ + return rc; + } + +-- +2.39.3 + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index aa934b8..cc412f6 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,10 +38,11 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 477.13.1.el8_8 +%define pkgrelease 477.15.1.el8_8 +%define tarfile_release 477.13.1.el8_8 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 477.13.1%{?dist} +%define specrelease 477.15.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -435,7 +436,7 @@ BuildRequires: xmlto BuildRequires: asciidoc %endif -Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz +Source0: linux-%{rpmversion}-%{tarfile_release}.tar.xz Source9: x509.genkey @@ -525,6 +526,7 @@ Patch999999: linux-kernel-test.patch Patch1000: debrand-single-cpu.patch # Patch1001: debrand-rh_taint.patch Patch1002: debrand-rh-i686-cpu.patch +Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch # END OF PATCH DEFINITIONS @@ -1079,15 +1081,16 @@ ApplyOptionalPatch() fi } -%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c -cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem -mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} +%setup -q -n %{name}-%{rpmversion}-%{tarfile_release} -c +cp -v %{SOURCE9000} linux-%{rpmversion}-%{tarfile_release}/certs/rhel.pem +mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL} cd linux-%{KVERREL} -ApplyOptionalPatch debrand-single-cpu.patch -# ApplyOptionalPatch debrand-rh_taint.patch -ApplyOptionalPatch debrand-rh-i686-cpu.patch +ApplyPatch debrand-single-cpu.patch +# ApplyPatch debrand-rh_taint.patch +ApplyPatch debrand-rh-i686-cpu.patch +ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -2691,6 +2694,9 @@ fi # # %changelog +* Mon Jul 24 2023 Andrew Lukoshko [4.18.0-477.15.1.el8_8] +- net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466} + * Thu May 18 2023 Lucas Zampieri [4.18.0-477.13.1.el8_8] - netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196147 2196146] {CVE-2023-32233}