From cc5fe84c80ebebb9cc073166f6b8443c469607f3 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <andrew.lukoshko@gmail.com>
Date: Mon, 24 Jul 2023 11:00:00 +0200
Subject: [PATCH] net: tls: fix possible race condition between
 do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua)
 {CVE-2023-28466}

---
 ...ible-race-condition-between-do_tls_g.patch | 83 +++++++++++++++++++
 SPECS/kernel.spec                             | 16 ++--
 2 files changed, 94 insertions(+), 5 deletions(-)
 create mode 100644 SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch

diff --git a/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch b/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
new file mode 100644
index 0000000..7cd33b7
--- /dev/null
+++ b/SOURCES/1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
@@ -0,0 +1,83 @@
+From f83f793e1fac3df2dda737ab857099e27b983440 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Wed, 19 Jul 2023 22:52:35 +0000
+Subject: [PATCH 1/1] net: tls: fix possible race condition between
+ do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
+
+ctx->crypto_send.info is not protected by lock_sock in
+do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
+and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
+or null-deref.
+
+More discussion:  https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream)
+
+Conflicts:
+	  net/tls/tls_main.c
+
+CVE: CVE-2023-28466
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Bert Barbe <bert.barbe@oracle.com>
+---
+ net/tls/tls_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index a4ca1bfaa..92909eeca 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ 			rc = -EINVAL;
+ 			goto out;
+ 		}
+-		lock_sock(sk);
+ 		memcpy(crypto_info_aes_gcm_128->iv,
+ 		       cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+ 		       TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ 		memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
+ 		       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+-		release_sock(sk);
+ 		if (copy_to_user(optval,
+ 				 crypto_info_aes_gcm_128,
+ 				 sizeof(*crypto_info_aes_gcm_128)))
+@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ 			rc = -EINVAL;
+ 			goto out;
+ 		}
+-		lock_sock(sk);
+ 		memcpy(crypto_info_aes_gcm_256->iv,
+ 		       cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
+ 		       TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ 		memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
+ 		       TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+-		release_sock(sk);
+ 		if (copy_to_user(optval,
+ 				 crypto_info_aes_gcm_256,
+ 				 sizeof(*crypto_info_aes_gcm_256)))
+@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+ {
+ 	int rc = 0;
+ 
++	lock_sock(sk);
++
+ 	switch (optname) {
+ 	case TLS_TX:
+ 	case TLS_RX:
+@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+ 		rc = -ENOPROTOOPT;
+ 		break;
+ 	}
++
++	release_sock(sk);
++
+ 	return rc;
+ }
+ 
+-- 
+2.39.3
+
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 3271b5a..99b95bf 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,10 +38,11 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 477.13.1.rt7.276.el8_8
+%define pkgrelease 477.15.1.rt7.278.el8_8
+%define tarfile_release 477.13.1.rt7.276.el8_8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 477.13.1.rt7.276%{?dist}
+%define specrelease 477.15.1.rt7.278%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -435,7 +436,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif
 
-Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz
+Source0: linux-%{rpmversion}-%{tarfile_release}.tar.xz
 
 Source9: x509.genkey
 
@@ -520,6 +521,7 @@ Source4000: gating.yaml
 Source4001: rpminspect.yaml
 
 ## Patches needed for building this package
+Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
 
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
@@ -1076,11 +1078,12 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c
-mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL}
+%setup -q -n %{name}-%{rpmversion}-%{tarfile_release} -c
+mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 
+ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
 ApplyOptionalPatch linux-kernel-test.patch
 
 # END OF PATCH APPLICATIONS
@@ -2689,6 +2692,9 @@ fi
 #
 #
 %changelog
+* Mon Jul 24 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.15.1.rt7.278.el8_8]
+- net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466}
+
 * Thu May 18 2023 Lucas Zampieri <lzampier@redhat.com> [4.18.0-477.13.1.rt7.276.el8_8.g3045]
 - [rt] build kernel-rt-4.18.0-477.13.1.rt7.276.el8_8.g3045 [2196667]
 - netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196154 2196153] {CVE-2023-32233}