linux/net/tls
Dae R. Jeong ab67c2fd3d tls: fix missing memory barrier in tls_init
[ Upstream commit 91e61dd7a0 ]

In tls_init(), a write memory barrier is missing, and store-store
reordering may cause NULL dereference in tls_{setsockopt,getsockopt}.

CPU0                               CPU1
-----                              -----
// In tls_init()
// In tls_ctx_create()
ctx = kzalloc()
ctx->sk_proto = READ_ONCE(sk->sk_prot) -(1)

// In update_sk_prot()
WRITE_ONCE(sk->sk_prot, tls_prots)     -(2)

                                   // In sock_common_setsockopt()
                                   READ_ONCE(sk->sk_prot)->setsockopt()

                                   // In tls_{setsockopt,getsockopt}()
                                   ctx->sk_proto->setsockopt()    -(3)

In the above scenario, when (1) and (2) are reordered, (3) can observe
the NULL value of ctx->sk_proto, causing NULL dereference.

To fix it, we rely on rcu_assign_pointer() which implies the release
barrier semantic. By moving rcu_assign_pointer() after ctx->sk_proto is
initialized, we can ensure that ctx->sk_proto are visible when
changing sk->sk_prot.

Fixes: d5bee7374b ("net/tls: Annotate access to sk_prot with READ_ONCE/WRITE_ONCE")
Signed-off-by: Yewon Choi <woni9911@gmail.com>
Signed-off-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/netdev/ZU4OJG56g2V9z_H7@dragonet/T/
Link: https://lore.kernel.org/r/Zkx4vjSFp0mfpjQ2@libra05
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-06-12 11:12:50 +02:00
..
Kconfig net/tls: Select SOCK_RX_QUEUE_MAPPING from TLS_DEVICE 2021-02-11 19:08:06 -08:00
Makefile tls: rx: async: hold onto the input skb 2022-07-18 11:24:11 +01:00
tls_device_fallback.c tls: expand use of tls_cipher_desc in tls_sw_fallback_init 2023-08-27 17:17:42 -07:00
tls_device.c tls: expand use of tls_cipher_desc in tls_set_device_offload 2023-08-27 17:17:41 -07:00
tls_main.c tls: fix missing memory barrier in tls_init 2024-06-12 11:12:50 +02:00
tls_proc.c tls: rx: add counter for NoPad violations 2022-07-11 19:48:33 -07:00
tls_strp.c tls: fix lockless read of strp->msg_ready in ->poll 2024-05-02 16:32:40 +02:00
tls_sw.c tls: get psock ref after taking rxlock to avoid leak 2024-04-10 16:35:43 +02:00
tls_toe.c tls: create an internal header 2022-07-08 18:38:45 -07:00
tls.h tls: fix lockless read of strp->msg_ready in ->poll 2024-05-02 16:32:40 +02:00
trace.c net/tls: add tracing for device/offload events 2019-10-05 16:29:00 -07:00
trace.h net/tls: add device decrypted trace point 2019-10-05 16:29:00 -07:00