Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/net/sunrpc
History
Olga Kornievskaia bee47cb026 sunrpc: fix handling of server side tls alerts 
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..

kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.

This patch proposes to rework how control messages are setup and
used by sock_recvmsg().

If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.

Reported-by: Scott Mayhew <smayhew@redhat.com>
Fixes: 5e052dda12 ("SUNRPC: Recognize control messages in server-side TCP socket code")
Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
Cc: stable@vger.kernel.org
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
 		2025-08-06 09:57:50 -04:00
..
auth_gss sunrpc: return better error in svcauth_gss_accept() on alloc failure 2025-07-14 12:46:48 -04:00
xprtrdma svcrdma: Adjust the number of entries in svc_rdma_send_ctxt::sc_pages 2025-05-15 16:16:26 -04:00
.kunitconfig
Kconfig
Makefile
addr.c net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr() 2024-02-28 16:18:18 -05:00
auth.c sunrpc: simplify rpcauth_cache_shrink_count() 2025-02-07 16:53:04 +01:00
auth_null.c
auth_tls.c
auth_unix.c
backchannel_rqst.c
cache.c sunrpc: fix race in cache cleanup causing stale nextcheck time 2025-05-11 19:48:22 -04:00
clnt.c sunrpc: don't immediately retransmit on seqno miss 2025-05-19 10:14:29 -04:00
debugfs.c sunrpc: add netns inum and srcaddr to debugfs rpc_xprt info 2025-01-22 15:53:31 -05:00
fail.h
netns.h
rpc_pipe.c Use try_lookup_noperm() instead of d_hash_and_lookup() outside of VFS 2025-04-08 11:24:41 +02:00
rpcb_clnt.c SUNRPC: rpcbind should never reset the port to the value '0' 2025-03-26 12:17:38 -04:00
sched.c SUNRPC: Don't allow waiting for exiting tasks 2025-03-28 16:37:57 -04:00
socklib.c sunrpc: unexport csum_partial_copy_to_xdr 2025-07-14 12:46:38 -04:00
socklib.h
stats.c sunrpc: use the struct net as the svc proc private 2024-03-01 09:12:09 -05:00
sunrpc.h SUNRPC: make various functions static, or not exported. 2024-09-01 10:04:56 -04:00
sunrpc_syms.c net: fill in MODULE_DESCRIPTION()s for Sun RPC 2024-01-11 16:16:08 -08:00
svc.c sunrpc: reset rq_accept_statp when starting a new RPC 2025-07-14 12:46:48 -04:00
svc_xprt.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
svcauth.c SUNRPC: add svcauth_map_clnt_to_svc_cred_local 2024-09-23 15:03:30 -04:00
svcauth_unix.c SUNRPC: replace program list with program array 2024-09-23 15:03:30 -04:00
svcsock.c sunrpc: fix handling of server side tls alerts 2025-08-06 09:57:50 -04:00
sysctl.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
sysfs.c sunrpc: Add a sysfs file for one-step xprt deletion 2025-03-21 09:34:53 -04:00
sysfs.h
timer.c
xdr.c sunrpc: simplify xdr_init_encode_pages 2025-07-14 12:46:37 -04:00
xprt.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
xprtmultipath.c sunrpc: Add a sysfs file for adding a new xprt 2025-03-21 09:34:53 -04:00
xprtsock.c SUNRPC: Remove dead code from xs_tcp_tls_setup_socket() 2025-05-28 17:17:14 -04:00