On Wed, 30 Oct 2019 09:05:42 -0700, Jakub Kicinski wrote:
> sk_msg_trim() tries to only update curr pointer if it falls into
> the trimmed region. The logic, however, does not take into the
> account pointer wrapping that sk_msg_iter_var_prev() does.
> This means that when the message was trimmed completely, the new
> curr pointer would have the value of MAX_MSG_FRAGS - 1, which is
> neither smaller than any other value, nor would it actually be
> correct.
>
> Special case the trimming to 0 length a little bit.
>
> This bug caused the TLS code to not copy all of the message, if
> zero copy filled in fewer sg entries than memcopy would need.
>
> Big thanks to Alexander Potapenko for the non-KMSAN reproducer.
>
> Fixes: d829e9c4112b ("tls: convert to generic sk_msg interface")
> Reported-by: syzbot+f8495bff23a879a6d0bd@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-by: syzbot+6f50c99e8f6194bf363f@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Jakub Kicinski <jakub.kicinski@xxxxxxxxxxxxx>
> ---
> Daniel, John, does this look okay?
>
> CC: Eric Biggers <ebiggers@xxxxxxxxxx>
> CC: herbert@xxxxxxxxxxxxxxxxxxx
> CC: glider@xxxxxxxxxx
> CC: linux-crypto@xxxxxxxxxxxxxxx
>
> net/core/skmsg.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
Daniel, John does this patch look reasonable? I must admit
the skmsg stuff in TLS scares me, it'd appreciate an ack.
