• Daniel Jordan's avatar
    net/tls: Fix flipped sign in tls_err_abort() calls · da353fac
    Daniel Jordan authored
    sk->sk_err appears to expect a positive value, a convention that ktls
    doesn't always follow and that leads to memory corruption in other code.
    For instance,
    
        [kworker]
        tls_encrypt_done(..., err=<negative error from crypto request>)
          tls_err_abort(.., err)
            sk->sk_err = err;
    
        [task]
        splice_from_pipe_feed
          ...
            tls_sw_do_sendpage
              if (sk->sk_err) {
                ret = -sk->sk_err;  // ret is positive
    
        splice_from_pipe_feed (continued)
          ret = actor(...)  // ret is still positive and interpreted as bytes
                            // written, resulting in underflow of buf->len and
                            // sd->len, leading to huge buf->offset and bogus
                            // addresses computed in later calls to actor()
    
    Fix all tls_err_abort() callers to pass a negative error code
    consistently and centralize the error-prone sign flip there, throwing in
    a warning to catch future misuse and uninlining the function so it
    really does only warn once.
    
    Cc: stable@vger.kernel.org
    Fixes: c46234eb ("tls: RX path for ktls")
    Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
    Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    da353fac
tls.h 20.9 KB