mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-24 09:13:20 -05:00
Code Activity
linux/net
History
Jann Horn 53f2cb491b tls: fix NULL deref on tls_sw_splice_eof() with empty record 
syzkaller discovered that if tls_sw_splice_eof() is executed as part of
sendfile() when the plaintext/ciphertext sk_msg are empty, the send path
gets confused because the empty ciphertext buffer does not have enough
space for the encryption overhead. This causes tls_push_record() to go on
the `split = true` path (which is only supposed to be used when interacting
with an attached BPF program), and then get further confused and hit the
tls_merge_open_record() path, which then assumes that there must be at
least one populated buffer element, leading to a NULL deref.

It is possible to have empty plaintext/ciphertext buffers if we previously
bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.
tls_sw_push_pending_record() already handles this case correctly; let's do
the same check in tls_sw_splice_eof().

Fixes: df720d288d ("tls/sw: Use splice_eof() to flush")
Cc: stable@vger.kernel.org
Reported-by: syzbot+40d43509a099ea756317@syzkaller.appspotmail.com
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20231122214447.675768-1-jannh@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-11-23 08:51:45 -08:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25
batman-adv
bluetooth This update includes the following changes: 2023-11-02 16:15:30 -10:00
bpf bpf: Add __bpf_kfunc_{start,end}_defs macros 2023-11-01 22:33:53 -07:00
bpfilter
bridge netfilter: nf_conntrack_bridge: initialize err to 0 2023-11-14 16:16:21 +01:00
caif
can
ceph This update includes the following changes: 2023-11-02 16:15:30 -10:00
core bpf, netkit: Add indirect call wrapper for fetching peer dev 2023-11-20 10:15:16 -08:00
dcb
dccp dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2023-11-02 12:56:03 +01:00
devlink netlink: specs: devlink: add forgotten port function caps enum values 2023-11-01 22:13:43 -07:00
dns_resolver
dsa
ethernet
ethtool
handshake
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2023-11-01 22:26:04 -07:00
ieee802154
ife
ipv4 ipv4: Correct/silence an endian warning in __ip_do_redirect 2023-11-21 12:55:22 +01:00
ipv6 Including fixes from netfilter and bpf. 2023-11-09 17:09:35 -08:00
iucv
kcm net: kcm: fill in MODULE_DESCRIPTION() 2023-11-08 18:17:44 -08:00
key
l2tp
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211
mac802154
mctp
mpls
mptcp net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
ncsi Revert ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-11-15 09:59:44 +00:00
netfilter netfilter: nf_tables: split async and sync catchall in two functions 2023-11-14 16:16:21 +01:00
netlabel
netlink netlink: fill in missing MODULE_DESCRIPTION() 2023-11-03 11:42:48 +00:00
netrom
nfc
nsh
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-08 17:47:08 -08:00
packet net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
phonet
psample
qrtr
rds
rfkill
rose
rxrpc rxrpc: Defer the response to a PING ACK until we've parsed it 2023-11-17 02:50:33 +00:00
sched net: sched: do not offload flows with a helper in act_ct 2023-11-16 10:10:51 +01:00
sctp net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
smc net/smc: avoid data corruption caused by decline 2023-11-22 12:10:19 +00:00
strparser
sunrpc NFS client updates for Linux 6.7 2023-11-08 13:39:16 -08:00
switchdev
tipc net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
tls tls: fix NULL deref on tls_sw_splice_eof() with empty record 2023-11-23 08:51:45 -08:00
unix net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
vmw_vsock net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
wireless
x25
xdp net: fill in MODULE_DESCRIPTION()s for SOCK_DIAG modules 2023-11-19 20:09:13 +00:00
xfrm Including fixes from netfilter and bpf. 2023-11-09 17:09:35 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c bpf: Add __bpf_hook_{start,end} macros 2023-11-01 22:33:53 -07:00
sysctl_net.c