diff mbox series

[5.4,022/158] net/tls: fix corrupted data in recvmsg

Message ID	20201123121821.004516205@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Vadim Fedorenko <vfedorenko@novek.ru>, Jakub Kicinski <kuba@kernel.org> Subject: [PATCH 5.4 022/158] net/tls: fix corrupted data in recvmsg Date: Mon, 23 Nov 2020 13:20:50 +0100 Message-Id: <20201123121821.004516205@linuxfoundation.org> In-Reply-To: <20201123121819.943135899@linuxfoundation.org> References: <20201123121819.943135899@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.4,002/158] atm: nicstar: Unmap DMA on send error [5.4,003/158] bnxt_en: read EEPROM A2h address using page 0 [5.4,004/158] devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() [5.4,005/158] Exempt multicast addresses from five-second neighbor lifetime [5.4,006/158] inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() [5.4,007/158] ipv6: Fix error path to cancel the meseage [5.4,008/158] lan743x: fix issue causing intermittent kernel log warnings [5.4,009/158] lan743x: prevent entire kernel HANG on open, for some platforms [5.4,010/158] mlxsw: core: Use variable timeout for EMAD retries [5.4,011/158] net: b44: fix error return code in b44_init_one() [5.4,012/158] net: bridge: add missing counters to ndo_get_stats64 callback [5.4,013/158] net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 [5.4,014/158] net: ethernet: ti: cpsw: fix error return code in cpsw_probe() [5.4,015/158] net: Have netpoll bring-up DSA management interface [5.4,016/158] netlabel: fix our progress tracking in netlbl_unlabel_staticlist() [5.4,017/158] netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() [5.4,018/158] net: lantiq: Wait for the GPHY firmware to be ready [5.4,019/158] net/mlx4_core: Fix init_hca fields offset [5.4,020/158] net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup [5.4,021/158] net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() [5.4,022/158] net/tls: fix corrupted data in recvmsg [5.4,023/158] net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request [5.4,024/158] page_frag: Recover from memory pressure [5.4,025/158] qed: fix error return code in qed_iwarp_ll2_start() [5.4,026/158] qlcnic: fix error return code in qlcnic_83xx_restart_hw() [5.4,027/158] sctp: change to hold/put transport for proto_unreach_timer [5.4,028/158] tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate [5.4,029/158] net/mlx5: Add handling of port type in rule deletion [5.4,030/158] net/mlx5: Disable QoS when min_rates on all VFs are zero [5.4,031/158] net: usb: qmi_wwan: Set DTR quirk for MR400 [5.4,032/158] net/ncsi: Fix netlink registration [5.4,033/158] net: ftgmac100: Fix crash when removing driver [5.4,034/158] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq [5.4,035/158] scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() [5.4,036/158] selftests: kvm: Fix the segment descriptor layout to match the actual layout [5.4,037/158] ACPI: button: Add DMI quirk for Medion Akoya E2228T [5.4,038/158] arm64: errata: Fix handling of 1418040 with late CPU onlining [5.4,039/158] arm64: psci: Avoid printing in cpu_psci_cpu_die() [5.4,040/158] arm64: smp: Tell RCU about CPUs that fail to come online [5.4,041/158] vfs: remove lockdep bogosity in __sb_start_write [5.4,042/158] gfs2: fix possible reference leak in gfs2_check_blk_type [5.4,043/158] hwmon: (pwm-fan) Fix RPM calculation [5.4,044/158] compiler.h: fix barrier_data() on clang [5.4,045/158] arm64: dts: allwinner: beelink-gs1: Enable both RGMII RX/TX delay [5.4,046/158] arm64: dts: allwinner: Pine H64: Enable both RGMII RX/TX delay [5.4,047/158] arm64: dts: allwinner: a64: OrangePi Win: Fix ethernet node [5.4,048/158] arm64: dts: allwinner: a64: Pine64 Plus: Fix ethernet node [5.4,049/158] arm64: dts: allwinner: h5: OrangePi PC2: Fix ethernet node [5.4,050/158] ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node [5.4,051/158] Revert "arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high" [5.4,052/158] ARM: dts: sun6i: a31-hummingbird: Enable RGMII RX/TX delay on Ethernet PHY [5.4,053/158] ARM: dts: sun7i: cubietruck: Enable RGMII RX/TX delay on Ethernet PHY [5.4,054/158] ARM: dts: sun7i: bananapi-m1-plus: Enable RGMII RX/TX delay on Ethernet PHY [5.4,055/158] ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on Ethernet PHY [5.4,056/158] ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY [5.4,057/158] ARM: dts: sun9i: Enable both RGMII RX/TX delay on Ethernet PHY [5.4,058/158] ARM: dts: sunxi: bananapi-m2-plus: Enable RGMII RX/TX delay on Ethernet PHY [5.4,059/158] arm64: dts: allwinner: a64: bananapi-m64: Enable RGMII RX/TX delay on PHY [5.4,060/158] Input: adxl34x - clean up a data type in adxl34x_probe() [5.4,061/158] MIPS: export has_transparent_hugepage() for modules [5.4,062/158] arm64: dts: allwinner: h5: OrangePi Prime: Fix ethernet node [5.4,063/158] arm64: dts imx8mn: Remove non-existent USB OTG2 [5.4,064/158] arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy [5.4,065/158] swiotlb: using SIZE_MAX needs limits.h included [5.4,066/158] arm64: dts: imx8mm: fix voltage for 1.6GHz CPU operating point [5.4,067/158] ARM: dts: imx50-evk: Fix the chip select 1 IOMUX [5.4,068/158] Input: resistive-adc-touch - fix kconfig dependency on IIO_BUFFER [5.4,069/158] rfkill: Fix use-after-free in rfkill_resume() [5.4,070/158] RDMA/pvrdma: Fix missing kfree() in pvrdma_register_device() [5.4,071/158] RMDA/sw: Dont allow drivers using dma_virt_ops on highmem configs [5.4,072/158] perf lock: Dont free "lock_seq_stat" if read_count isnt zero [5.4,073/158] tools, bpftool: Add missing close before bpftool net attach exit [5.4,074/158] ip_tunnels: Set tunnel option flag when tunnel metadata is present [5.4,075/158] can: af_can: prevent potential access of uninitialized member in can_rcv() [5.4,076/158] can: af_can: prevent potential access of uninitialized member in canfd_rcv() [5.4,077/158] can: dev: can_restart(): post buffer from the right context [5.4,078/158] can: ti_hecc: Fix memleak in ti_hecc_probe [5.4,079/158] can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() [5.4,080/158] can: peak_usb: fix potential integer overflow on shift of a int [5.4,081/158] can: flexcan: fix failure handling of pm_runtime_get_sync() [5.4,082/158] can: tcan4x5x: replace depends on REGMAP_SPI with depends on SPI [5.4,083/158] can: tcan4x5x: tcan4x5x_can_probe(): add missing error checking for devm_regmap_init() [5.4,084/158] can: tcan4x5x: tcan4x5x_can_remove(): fix order of deregistration [5.4,085/158] can: m_can: m_can_handle_state_change(): fix state change [5.4,086/158] can: m_can: m_can_class_free_dev(): introduce new function [5.4,087/158] can: m_can: m_can_stop(): set device to software init mode before closing [5.4,088/158] ASoC: qcom: lpass-platform: Fix memory leak [5.4,089/158] selftests/bpf: Fix error return code in run_getsockopt_test() [5.4,090/158] MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu [5.4,091/158] drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() [5.4,092/158] net/mlx5: E-Switch, Fail mlx5_esw_modify_vport_rate if qos disabled [5.4,093/158] bpf, sockmap: Fix partial copy_page_to_iter so progress can still be made [5.4,094/158] bpf, sockmap: Ensure SO_RCVBUF memory is observed on ingress redirect [5.4,095/158] can: kvaser_pciefd: Fix KCAN bittiming limits [5.4,096/158] can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits [5.4,097/158] iommu/vt-d: Move intel_iommu_gfx_mapped to Intel IOMMU header [5.4,098/158] iommu/vt-d: Avoid panic if iommu init fails in tboot system [5.4,099/158] can: flexcan: flexcan_chip_start(): fix erroneous flexcan_transceiver_enable() duri... [5.4,100/158] can: m_can: process interrupt only when not runtime suspended [5.4,101/158] xfs: fix the minrecs logic when dealing with inode root child blocks [5.4,102/158] xfs: strengthen rmap record flags checking [5.4,103/158] xfs: return corresponding errcode if xfs_initialize_perag() fail [5.4,104/158] regulator: ti-abb: Fix array out of bound read access on the first transition [5.4,105/158] fail_function: Remove a redundant mutex unlock [5.4,106/158] xfs: revert "xfs: fix rmap key and record comparison functions" [5.4,107/158] bpf, sockmap: Skb verdict SK_PASS to self already checked rmem limits [5.4,108/158] bpf, sockmap: On receive programs try to fast track SK_PASS ingress [5.4,109/158] bpf, sockmap: Use truesize with sk_rmem_schedule() [5.4,110/158] bpf, sockmap: Avoid returning unneeded EAGAIN when redirecting to self [5.4,111/158] efi/x86: Free efi_pgd with free_pages() [5.4,112/158] libfs: fix error cast of negative value in simple_attr_write() [5.4,113/158] HID: logitech-hidpp: Add PID for MX Anywhere 2 [5.4,114/158] HID: logitech-dj: Handle quad/bluetooth keyboards with a builtin trackpad [5.4,115/158] HID: logitech-dj: Fix Dinovo Mini when paired with a MX5x00 receiver [5.4,116/158] speakup: Do not let the line discipline be used several times [5.4,117/158] ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() [5.4,118/158] ALSA: usb-audio: Add delay quirk for all Logitech USB devices [5.4,119/158] ALSA: ctl: fix error path at adding user-defined element set [5.4,120/158] ALSA: mixart: Fix mutex deadlock [5.4,121/158] ALSA: hda/realtek - Add supported for Lenovo ThinkPad Headset Button [5.4,122/158] ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220) [5.4,123/158] tty: serial: imx: fix potential deadlock [5.4,124/158] tty: serial: imx: keep console clocks always on [5.4,125/158] HID: logitech-dj: Fix an error in mse_bluetooth_descriptor [5.4,126/158] efivarfs: fix memory leak in efivarfs_create() [5.4,127/158] staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids [5.4,128/158] iio: light: fix kconfig dependency bug for VCNL4035 [5.4,129/158] ext4: fix bogus warning in ext4_update_dx_flag() [5.4,130/158] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum [5.4,131/158] iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode [5.4,132/158] iio: adc: mediatek: fix unset field [5.4,133/158] spi: lpspi: Fix use-after-free on unbind [5.4,134/158] spi: Introduce device-managed SPI controller allocation [5.4,135/158] spi: npcm-fiu: Dont leak SPI master in probe error path [5.4,136/158] spi: bcm2835aux: Fix use-after-free on unbind [5.4,137/158] regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200} [5.4,138/158] regulator: fix memory leak with repeated set_machine_constraints() [5.4,139/158] regulator: avoid resolve_supply() infinite recursion [5.4,140/158] regulator: workaround self-referent regulators [5.4,141/158] xtensa: fix TLBTEMP area placement [5.4,142/158] xtensa: disable preemption around cache alias management calls [5.4,143/158] mac80211: minstrel: remove deferred sampling code [5.4,144/158] mac80211: minstrel: fix tx status processing corner case [5.4,145/158] mac80211: free sta in sta_info_insert_finish() on errors [5.4,146/158] s390/cpum_sf.c: fix file permission for cpum_sfb_size [5.4,147/158] s390/dasd: fix null pointer dereference for ERP requests [5.4,148/158] Drivers: hv: vmbus: Allow cleanup of VMBUS_CONNECT_CPU if disconnected [5.4,149/158] drm/amd/display: Add missing pflip irq for dcn2.0 [5.4,150/158] drm/i915: Handle max_bpc==16 [5.4,151/158] mmc: sdhci-pci: Prefer SDR25 timing for High Speed mode for BYT-based Intel control... [5.4,152/158] ptrace: Set PF_SUPERPRIV when checking capability [5.4,153/158] seccomp: Set PF_SUPERPRIV when checking capability [5.4,154/158] x86/microcode/intel: Check patch signature before saving microcode for early loading [5.4,155/158] mm: memcg/slab: fix root memcg vmstats [5.4,156/158] mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() [5.4,157/158] mm, page_alloc: skip ->waternark_boost for atomic order-0 allocations [5.4,158/158] sched/fair: Fix overutilized update in enqueue_task_fair()

Commit Message

Greg KH Nov. 23, 2020, 12:20 p.m. UTC

From: Vadim Fedorenko <vfedorenko@novek.ru>

[ Upstream commit 3fe16edf6767decd640fa2654308bc64f8d656dc ]

If tcp socket has more data than Encrypted Handshake Message then
tls_sw_recvmsg will try to decrypt next record instead of returning
full control message to userspace as mentioned in comment. The next
message - usually Application Data - gets corrupted because it uses
zero copy for decryption that's why the data is not stored in skb
for next iteration. Revert check to not decrypt next record if
current is not Application Data.

Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
Link: https://lore.kernel.org/r/1605413760-21153-1-git-send-email-vfedorenko@novek.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_sw.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff mbox series

Patch

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1907,7 +1907,7 @@  pick_next_record:
 			 * another message type
 			 */
 			msg->msg_flags |= MSG_EOR;
-			if (ctx->control != TLS_RECORD_TYPE_DATA)
+			if (control != TLS_RECORD_TYPE_DATA)
 				goto recv_end;
 		} else {
 			break;