NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../include
History
Daniel Jordan da353fac65 net/tls: Fix flipped sign in tls_err_abort() calls 
sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234ebb4 ("tls: RX path for ktls")
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-10-28 14:41:20 +01:00
..
acpi Revert "ACPI: Add memory semantics to acpi_os_map_memory()" 2021-09-23 20:39:36 +02:00
asm-generic asm-generic: build fixes for v5.15 2021-10-08 11:57:54 -07:00
clocksource
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2021-08-30 12:57:10 -07:00
drm
dt-bindings linux-watchdog 5.15-rc1 tag 2021-09-07 13:52:46 -07:00
keys
kunit kunit: fix kernel-doc warnings due to mismatched arg names 2021-10-06 17:54:07 -06:00
kvm KVM: arm64: Fix PMU probe ordering 2021-09-20 12:43:34 +01:00
linux Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2021-10-26 14:38:55 -07:00
math-emu
media
memory
misc
net net/tls: Fix flipped sign in tls_err_abort() calls 2021-10-28 14:41:20 +01:00
pcmcia
ras
rdma Merge branch 'sg_nents' into rdma.git for-next 2021-08-30 09:49:59 -03:00
scsi scsi: core: Remove 'current_tag' 2021-09-22 00:13:38 -04:00
soc net: dsa: tag_ocelot_8021q: break circular dependency with ocelot switch lib 2021-10-12 17:35:18 -07:00
sound ALSA: hda: intel: Allow repeatedly probing on codec configuration errors 2021-10-07 09:15:22 +02:00
target
trace block-5.15-2021-10-17 2021-10-17 19:25:20 -10:00
uapi Networking fixes for 5.15-rc7, including fixes from netfilter, and can. 2021-10-21 15:36:50 -10:00
vdso
video
xen xen/privcmd: drop "pages" parameter from xen_remap_pfn() 2021-10-05 08:20:27 +02:00