[PATCH openEuler-1.0-LTS v5 3/6] net/tls: Resolve KABI break when backport bugfix of CVE-2021-47131

27 Mar 2024

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I990AF
CVE: CVE-2021-47131
--------------------------------
This patch resolves KABI break introduces by backporting
commit c55dcdd435aa ("net/tls: Fix use-after-free after
the TLS device goes down and up").
Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com
---
 include/net/tls.h    | 12 ++++++++++--
 net/tls/tls_device.c |  4 +++-
 net/tls/tls_main.c   |  8 +++++---
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/include/net/tls.h b/include/net/tls.h
index 83040729a6a62..b891f09bba909 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -227,8 +227,6 @@ struct tls_context {
    u16 pending_open_record_frags;
    int (*push_pending_record)(struct sock *sk, int flags);
-	struct sock *sk;
-
    void (*sk_write_space)(struct sock *sk);
    void (*sk_destruct)(struct sock *sk);
    void (*sk_proto_close)(struct sock *sk, long timeout);
@@ -243,6 +241,16 @@ struct tls_context {
    void (*unhash)(struct sock *sk);
 };
+struct tls_context_wrapper {
+	struct tls_context ctx;
+	struct sock *sk;
+};
+
+static inline struct tls_context_wrapper *tls_ctx_wrapper(const struct tls_context *ctx)
+{
+	return (struct tls_context_wrapper *)ctx;
+}
+
 struct tls_offload_context_rx {
    /* sw must be the first member of tls_offload_context_rx */
    struct tls_sw_context_rx sw;
diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 70f53b5f444cd..223ea69266b0f 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -978,6 +978,7 @@ void tls_device_offload_cleanup_rx(struct sock *sk)
static int tls_device_down(struct net_device *netdev)
 {
+	struct tls_context_wrapper *ctx_wrapper;
    struct tls_context *ctx, *tmp;
    unsigned long flags;
    LIST_HEAD(list);
@@ -999,7 +1000,8 @@ static int tls_device_down(struct net_device *netdev)
    	/* Stop offloaded TX and switch to the fallback.
    	 * tls_is_sk_tx_device_offloaded will return false.
    	 */
-		WRITE_ONCE(ctx->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw);
+		ctx_wrapper = tls_ctx_wrapper(ctx);
+		WRITE_ONCE(ctx_wrapper->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw);
/* Stop the RX and TX resync.
    	 * tls_dev_resync must not be called after tls_dev_del.
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index b3eafb85b8e16..9182314cc99a6 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -550,17 +550,19 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
 static struct tls_context *create_ctx(struct sock *sk)
 {
    struct inet_connection_sock *icsk = inet_csk(sk);
+	struct tls_context_wrapper *ctx_wrapper;
    struct tls_context *ctx;
-	ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
-	if (!ctx)
+	ctx_wrapper = kzalloc(sizeof(*ctx_wrapper), GFP_ATOMIC);
+	if (!ctx_wrapper)
    	return NULL;
+	ctx = &ctx_wrapper->ctx;
icsk->icsk_ulp_data = ctx;
    ctx->setsockopt = sk->sk_prot->setsockopt;
    ctx->getsockopt = sk->sk_prot->getsockopt;
    ctx->sk_proto_close = sk->sk_prot->close;
-	ctx->sk = sk;
+	ctx_wrapper->sk = sk;
    return ctx;
 }
-- 
2.25.1


    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS v5 3/6] net/tls: Resolve KABI break when backport bugfix of CVE-2021-47131