diff options
| author | Olga Kornievskaia <okorniev@redhat.com> | 2025-07-29 12:40:20 -0400 |
|---|---|---|
| committer | Chuck Lever <chuck.lever@oracle.com> | 2025-08-06 09:57:50 -0400 |
| commit | bee47cb026e762841f3faece47b51f985e215edb (patch) | |
| tree | a9774c17f64771e812651bbfc5a4666244bbe4b7 /arch/um/include/asm/cacheflush.h | |
| parent | e5a73150776f18547ee685c9f6bfafe549714899 (diff) | |
sunrpc: fix handling of server side tls alerts
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..
kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.
This patch proposes to rework how control messages are setup and
used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.
Reported-by: Scott Mayhew <smayhew@redhat.com>
Fixes: 5e052dda121e ("SUNRPC: Recognize control messages in server-side TCP socket code")
Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
Cc: stable@vger.kernel.org
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'arch/um/include/asm/cacheflush.h')
0 files changed, 0 insertions, 0 deletions