diff options
| author | Ilya Lesokhin <ilyal@mellanox.com> | 2017-11-13 10:22:48 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-12-05 19:41:10 +0100 |
| commit | 93f16446c8ddacbf26ae8408ecd9c9c397b8d5b4 (patch) | |
| tree | 15606bd50dc43ef7e2bf3d92d3af3fd4f1c41963 /net/tls | |
| parent | 797b8bb47fb27ee49a3b59ad110e5264585415aa (diff) | |
| download | linux-stable-93f16446c8ddacbf26ae8408ecd9c9c397b8d5b4.tar.gz linux-stable-93f16446c8ddacbf26ae8408ecd9c9c397b8d5b4.tar.bz2 linux-stable-93f16446c8ddacbf26ae8408ecd9c9c397b8d5b4.zip | |
tls: Avoid copying crypto_info again after cipher_type check.
commit 196c31b4b54474b31dee3c30352c45c2a93e9226 upstream.
Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it
Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.14: Preserve changes made by earlier backports of
"tls: return -EBUSY if crypto_info is already set" and "tls: zero the
crypto information from tls_context before freeing"]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/tls')
| -rw-r--r-- | net/tls/tls_main.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index b5f9c578bcf0..f88df514ad5f 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -381,7 +381,7 @@ static int tls_getsockopt(struct sock *sk, int level, int optname, static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, unsigned int optlen) { - struct tls_crypto_info *crypto_info, tmp_crypto_info; + struct tls_crypto_info *crypto_info; struct tls_context *ctx = tls_get_ctx(sk); int rc = 0; int tx_conf; @@ -391,38 +391,33 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval, goto out; } - rc = copy_from_user(&tmp_crypto_info, optval, sizeof(*crypto_info)); + crypto_info = &ctx->crypto_send.info; + /* Currently we don't support set crypto info more than one time */ + if (TLS_CRYPTO_INFO_READY(crypto_info)) { + rc = -EBUSY; + goto out; + } + + rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info)); if (rc) { rc = -EFAULT; goto out; } /* check version */ - if (tmp_crypto_info.version != TLS_1_2_VERSION) { + if (crypto_info->version != TLS_1_2_VERSION) { rc = -ENOTSUPP; - goto out; - } - - /* get user crypto info */ - crypto_info = &ctx->crypto_send.info; - - /* Currently we don't support set crypto info more than one time */ - if (TLS_CRYPTO_INFO_READY(crypto_info)) { - rc = -EBUSY; - goto out; + goto err_crypto_info; } - switch (tmp_crypto_info.cipher_type) { + switch (crypto_info->cipher_type) { case TLS_CIPHER_AES_GCM_128: { if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) { rc = -EINVAL; goto err_crypto_info; } - rc = copy_from_user( - crypto_info, - optval, - sizeof(struct tls12_crypto_info_aes_gcm_128)); - + rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info), + optlen - sizeof(*crypto_info)); if (rc) { rc = -EFAULT; goto err_crypto_info; |