net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466}

This commit is contained in:
Andrew Lukoshko 2023-07-24 08:31:12 +00:00
parent 22b44d3394
commit d4136628be
2 changed files with 98 additions and 9 deletions

View File

@ -0,0 +1,83 @@
From f83f793e1fac3df2dda737ab857099e27b983440 Mon Sep 17 00:00:00 2001
From: Hangyu Hua <hbh25y@gmail.com>
Date: Wed, 19 Jul 2023 22:52:35 +0000
Subject: [PATCH 1/1] net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
ctx->crypto_send.info is not protected by lock_sock in
do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
or null-deref.
More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/
Fixes: 3c4d7559159b ("tls: kernel TLS support")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 upstream)
Conflicts:
net/tls/tls_main.c
CVE: CVE-2023-28466
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Bert Barbe <bert.barbe@oracle.com>
---
net/tls/tls_main.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index a4ca1bfaa..92909eeca 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -386,13 +386,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
rc = -EINVAL;
goto out;
}
- lock_sock(sk);
memcpy(crypto_info_aes_gcm_128->iv,
cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
TLS_CIPHER_AES_GCM_128_IV_SIZE);
memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
- release_sock(sk);
if (copy_to_user(optval,
crypto_info_aes_gcm_128,
sizeof(*crypto_info_aes_gcm_128)))
@@ -410,13 +408,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
rc = -EINVAL;
goto out;
}
- lock_sock(sk);
memcpy(crypto_info_aes_gcm_256->iv,
cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
TLS_CIPHER_AES_GCM_256_IV_SIZE);
memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
- release_sock(sk);
if (copy_to_user(optval,
crypto_info_aes_gcm_256,
sizeof(*crypto_info_aes_gcm_256)))
@@ -436,6 +432,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
{
int rc = 0;
+ lock_sock(sk);
+
switch (optname) {
case TLS_TX:
case TLS_RX:
@@ -446,6 +444,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
rc = -ENOPROTOOPT;
break;
}
+
+ release_sock(sk);
+
return rc;
}
--
2.39.3

View File

@ -38,10 +38,11 @@
# define buildid .local # define buildid .local
%define rpmversion 4.18.0 %define rpmversion 4.18.0
%define pkgrelease 477.13.1.el8_8 %define pkgrelease 477.15.1.el8_8
%define tarfile_release 477.13.1.el8_8
# allow pkg_release to have configurable %%{?dist} tag # allow pkg_release to have configurable %%{?dist} tag
%define specrelease 477.13.1%{?dist} %define specrelease 477.15.1%{?dist}
%define pkg_release %{specrelease}%{?buildid} %define pkg_release %{specrelease}%{?buildid}
@ -435,7 +436,7 @@ BuildRequires: xmlto
BuildRequires: asciidoc BuildRequires: asciidoc
%endif %endif
Source0: linux-%{rpmversion}-%{pkgrelease}.tar.xz Source0: linux-%{rpmversion}-%{tarfile_release}.tar.xz
Source9: x509.genkey Source9: x509.genkey
@ -525,6 +526,7 @@ Patch999999: linux-kernel-test.patch
Patch1000: debrand-single-cpu.patch Patch1000: debrand-single-cpu.patch
# Patch1001: debrand-rh_taint.patch # Patch1001: debrand-rh_taint.patch
Patch1002: debrand-rh-i686-cpu.patch Patch1002: debrand-rh-i686-cpu.patch
Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
@ -1079,15 +1081,16 @@ ApplyOptionalPatch()
fi fi
} }
%setup -q -n %{name}-%{rpmversion}-%{pkgrelease} -c %setup -q -n %{name}-%{rpmversion}-%{tarfile_release} -c
cp -v %{SOURCE9000} linux-%{rpmversion}-%{pkgrelease}/certs/rhel.pem cp -v %{SOURCE9000} linux-%{rpmversion}-%{tarfile_release}/certs/rhel.pem
mv linux-%{rpmversion}-%{pkgrelease} linux-%{KVERREL} mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL}
cd linux-%{KVERREL} cd linux-%{KVERREL}
ApplyOptionalPatch debrand-single-cpu.patch ApplyPatch debrand-single-cpu.patch
# ApplyOptionalPatch debrand-rh_taint.patch # ApplyPatch debrand-rh_taint.patch
ApplyOptionalPatch debrand-rh-i686-cpu.patch ApplyPatch debrand-rh-i686-cpu.patch
ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
ApplyOptionalPatch linux-kernel-test.patch ApplyOptionalPatch linux-kernel-test.patch
# END OF PATCH APPLICATIONS # END OF PATCH APPLICATIONS
@ -2691,6 +2694,9 @@ fi
# #
# #
%changelog %changelog
* Mon Jul 24 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.15.1.el8_8]
- net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() (Hangyu Hua) {CVE-2023-28466}
* Thu May 18 2023 Lucas Zampieri <lzampier@redhat.com> [4.18.0-477.13.1.el8_8] * Thu May 18 2023 Lucas Zampieri <lzampier@redhat.com> [4.18.0-477.13.1.el8_8]
- netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196147 2196146] {CVE-2023-32233} - netfilter: nf_tables: deactivate anonymous set from preparation phase (Florian Westphal) [2196147 2196146] {CVE-2023-32233}