linux/net/tls
Sabrina Dubroca 13114dc554 tls: fix use-after-free on failed backlog decryption
When the decrypt request goes to the backlog and crypto_aead_decrypt
returns -EBUSY, tls_do_decryption will wait until all async
decryptions have completed. If one of them fails, tls_do_decryption
will return -EBADMSG and tls_decrypt_sg jumps to the error path,
releasing all the pages. But the pages have been passed to the async
callback, and have already been released by tls_decrypt_done.

The only true async case is when crypto_aead_decrypt returns
 -EINPROGRESS. With -EBUSY, we already waited so we can tell
tls_sw_recvmsg that the data is available for immediate copy, but we
need to notify tls_decrypt_sg (via the new ->async_done flag) that the
memory has already been released.

Fixes: 8590541473 ("net: tls: handle backlogging of crypto requests")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://lore.kernel.org/r/4755dd8d9bebdefaa19ce1439b833d6199d4364c.1709132643.git.sd@queasysnail.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-02-29 09:07:16 -08:00
..
Kconfig
Makefile tls: rx: async: hold onto the input skb 2022-07-18 11:24:11 +01:00
tls_device_fallback.c tls: rename MAX_IV_SIZE to TLS_MAX_IV_SIZE 2023-10-13 11:26:09 +01:00
tls_device.c tls: don't reset prot->aad_size and prot->tail_size for TLS_HW 2023-10-23 10:15:09 -07:00
tls_main.c mptcp: fix lockless access in subflow ULP diag 2024-02-18 10:25:00 +00:00
tls_proc.c tls: rx: add counter for NoPad violations 2022-07-11 19:48:33 -07:00
tls_strp.c net/tls: Use tcp_read_sock() instead of ops->read_sock() 2023-07-27 19:49:35 -07:00
tls_sw.c tls: fix use-after-free on failed backlog decryption 2024-02-29 09:07:16 -08:00
tls_toe.c tls: create an internal header 2022-07-08 18:38:45 -07:00
tls.h tls: don't reset prot->aad_size and prot->tail_size for TLS_HW 2023-10-23 10:15:09 -07:00
trace.c
trace.h