Patch "tls: rx: strp: fix determining record length in copy mode" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 28 May 2023 22:46:59 -0400

This is a note to let you know that I've just added the patch titled

    tls: rx: strp: fix determining record length in copy mode

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tls-rx-strp-fix-determining-record-length-in-copy-mo.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 44208b50d590560b00e95c93b4078c892f242444
Author: Jakub Kicinski <kuba@xxxxxxxxxx>
Date:   Tue May 16 18:50:39 2023 -0700

    tls: rx: strp: fix determining record length in copy mode
    
    [ Upstream commit 8b0c0dc9fbbd01e58a573a41c38885f9e4c17696 ]
    
    We call tls_rx_msg_size(skb) before doing skb->len += chunk.
    So the tls_rx_msg_size() code will see old skb->len, most
    likely leading to an over-read.
    
    Worst case we will over read an entire record, next iteration
    will try to trim the skb but may end up turning frag len negative
    or discarding the subsequent record (since we already told TCP
    we've read it during previous read but now we'll trim it out of
    the skb).
    
    Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
    Tested-by: Shai Amiram <samiram@xxxxxxxxxx>
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
index 24016c865e004..9889df5ce0660 100644
--- a/net/tls/tls_strp.c
+++ b/net/tls/tls_strp.c
@@ -210,19 +210,28 @@ static int tls_strp_copyin(read_descriptor_t *desc, struct sk_buff *in_skb,
 					   skb_frag_size(frag),
 					   chunk));
 
-		sz = tls_rx_msg_size(strp, strp->anchor);
+		skb->len += chunk;
+		skb->data_len += chunk;
+		skb_frag_size_add(frag, chunk);
+
+		sz = tls_rx_msg_size(strp, skb);
 		if (sz < 0) {
 			desc->error = sz;
 			return 0;
 		}
 
 		/* We may have over-read, sz == 0 is guaranteed under-read */
-		if (sz > 0)
-			chunk =	min_t(size_t, chunk, sz - skb->len);
+		if (unlikely(sz && sz < skb->len)) {
+			int over = skb->len - sz;
+
+			WARN_ON_ONCE(over > chunk);
+			skb->len -= over;
+			skb->data_len -= over;
+			skb_frag_size_add(frag, -over);
+
+			chunk -= over;
+		}
 
-		skb->len += chunk;
-		skb->data_len += chunk;
-		skb_frag_size_add(frag, chunk);
 		frag++;
 		len -= chunk;
 		offset += chunk;






