• Ziyang Xuan's avatar
    net/tls: fix slab-out-of-bounds bug in decrypt_internal · 9381fe8c
    Ziyang Xuan authored
    The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in
    tls_set_sw_offload(). The return value of crypto_aead_ivsize()
    for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes
    memory space will trigger slab-out-of-bounds bug as following:
    
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]
    Read of size 16 at addr ffff888114e84e60 by task tls/10911
    
    Call Trace:
     <TASK>
     dump_stack_lvl+0x34/0x44
     print_report.cold+0x5e/0x5db
     ? decrypt_internal+0x385/0xc40 [tls]
     kasan_report+0xab/0x120
     ? decrypt_internal+0x385/0xc40 [tls]
     kasan_check_range+0xf9/0x1e0
     memcpy+0x20/0x60
     decrypt_internal+0x385/0xc40 [tls]
     ? tls_get_rec+0x2e0/0x2e0 [tls]
     ? process_rx_list+0x1a5/0x420 [tls]
     ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]
     decrypt_skb_update+0x9d/0x400 [tls]
     tls_sw_recvmsg+0x3c8/0xb50 [tls]
    
    Allocated by task 10911:
     kasan_save_stack+0x1e/0x40
     __kasan_kmalloc+0x81/0xa0
     tls_set_sw_offload+0x2eb/0xa20 [tls]
     tls_setsockopt+0x68c/0x700 [tls]
     __sys_setsockopt+0xfe/0x1b0
    
    Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size
    when memcpy() iv value in TLS_1_3_VERSION scenario.
    
    Fixes: f295b3ae
    
     ("net/tls: Add support of AES128-CCM based ciphers")
    Signed-off-by: default avatarZiyang Xuan <william.xuanziyang@huawei.com>
    Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9381fe8c
tls_sw.c 64.9 KB