Patch "tls: reset crypto_info when do_tls_setsockopt_tx fails" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 28 Jan 2018 17:39:12 +0100

This is a note to let you know that I've just added the patch titled

    tls: reset crypto_info when do_tls_setsockopt_tx fails

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     tls-reset-crypto_info-when-do_tls_setsockopt_tx-fails.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From foo@baz Sun Jan 28 17:35:08 CET 2018
From: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2018 16:04:28 +0100
Subject: tls: reset crypto_info when do_tls_setsockopt_tx fails

From: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>


[ Upstream commit 6db959c82eb039a151d95a0f8b7dea643657327a ]

The current code copies directly from userspace to ctx->crypto_send, but
doesn't always reinitialize it to 0 on failure. This causes any
subsequent attempt to use this setsockopt to fail because of the
TLS_CRYPTO_INFO_READY check, eventhough crypto_info is not actually
ready.

This should result in a correctly set up socket after the 3rd call, but
currently it does not:

    size_t s = sizeof(struct tls12_crypto_info_aes_gcm_128);
    struct tls12_crypto_info_aes_gcm_128 crypto_good = {
        .info.version = TLS_1_2_VERSION,
        .info.cipher_type = TLS_CIPHER_AES_GCM_128,
    };

    struct tls12_crypto_info_aes_gcm_128 crypto_bad_type = crypto_good;
    crypto_bad_type.info.cipher_type = 42;

    setsockopt(sock, SOL_TLS, TLS_TX, &crypto_bad_type, s);
    setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s - 1);
    setsockopt(sock, SOL_TLS, TLS_TX, &crypto_good, s);

Fixes: 3c4d7559159b ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@xxxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/tls/tls_main.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -373,7 +373,7 @@ static int do_tls_setsockopt_tx(struct s
 	case TLS_CIPHER_AES_GCM_128: {
 		if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
 			rc = -EINVAL;
-			goto out;
+			goto err_crypto_info;
 		}
 		rc = copy_from_user(
 		  crypto_info,
@@ -388,7 +388,7 @@ static int do_tls_setsockopt_tx(struct s
 	}
 	default:
 		rc = -EINVAL;
-		goto out;
+		goto err_crypto_info;
 	}
 
 	ctx->sk_write_space = sk->sk_write_space;


Patches currently in stable-queue which might be from sd@xxxxxxxxxxxxxxx are

queue-4.14/tls-reset-crypto_info-when-do_tls_setsockopt_tx-fails.patch
queue-4.14/tls-return-ebusy-if-crypto_info-is-already-set.patch
queue-4.14/tls-fix-sw_ctx-leak.patch






