On Fri, May 18, 2018 at 02:55:35PM -0500, Wenwen Wang wrote: > In do_chtls_setsockopt(), the tls crypto info is first copied from the > poiner 'optval' in userspace and saved to 'tmp_crypto_info'. Then the > 'version' of the crypto info is checked. If the version is not as expected, > i.e., TLS_1_2_VERSION, error code -ENOTSUPP is returned to indicate that > the provided crypto info is not supported yet. Then, the 'cipher_type' > field of the 'tmp_crypto_info' is also checked to see if it is > TLS_CIPHER_AES_GCM_128. If it is, the whole struct of > tls12_crypto_info_aes_gcm_128 is copied from the pointer 'optval' and then > the function chtls_setkey() is invoked to set the key. > > Given that the 'optval' pointer resides in userspace, a malicious userspace > process can race to change the data pointed by 'optval' between the two > copies. For example, a user can provide a crypto info with TLS_1_2_VERSION > and TLS_CIPHER_AES_GCM_128. After the first copy, the user can modify the > 'version' and the 'cipher_type' fields to any versions and/or cipher types > that are not allowed. This way, the user can bypass the checks, inject > bad data to the kernel, cause chtls_setkey() to set a wrong key or other > issues. > > This patch reuses the data copied in the first try so as to ensure these > checks will not be bypassed. > > Signed-off-by: Wenwen Wang <wang6495@xxxxxxx> Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt