This patch addresses an issue of type confusion in tls_is_tx_ready(), as a check for NULL of list_first_entry() return value is wrong. This issue has been given a CVE entry CVE-2023-1075 [1] and is still present in several stable branches.
As the flawed function tls_is_tx_ready() is named is_tx_ready() and is situated in another file (specifically, include/net/tls.h) in older kernel versions, fix the error there instead. This adapted backport can be cleanly applied to 5.4, 5.10 and 5.15 branches.
[PATCH 5.4/5.10/5.15 1/1] net/tls: tls_is_tx_ready() checked list_entry Use list_first_entry_or_null() instead of list_entry() to properly check for empty lists. Fixes [1].
[1] https://nvd.nist.gov/vuln/detail/cve-2023-1075 [2] https://github.com/torvalds/linux/commit/ffe2a22562444720b05bdfeb999c03e810d...
From: Pietro Borrello borrello@diag.uniroma1.it
[ Upstream commit ffe2a22562444720b05bdfeb999c03e810d84cbb ]
tls_is_tx_ready() checks that list_first_entry() does not return NULL. This condition can never happen. For empty lists, list_first_entry() returns the list_entry() of the head, which is a type confusion. Use list_first_entry_or_null() which returns NULL in case of empty lists.
Fixes: a42055e ("net/tls: Add support for async encryption of records for performance") Signed-off-by: Pietro Borrello borrello@diag.uniroma1.it Link: https://lore.kernel.org/r/20230128-list-entry-null-check-tls-v1-1-525bbfe6f0... Signed-off-by: Jakub Kicinski kuba@kernel.org [Nikita: since tls_is_tx_ready() exists only as is_tx_ready() in include/net/tls.h, fix the issue there instead.] Signed-off-by: Nikita Zhandarovich n.zhandarovich@fintech.ru --- include/net/tls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/tls.h b/include/net/tls.h index 7f220e03ebb2..e6836a5dfb6e 100644 --- a/include/net/tls.h +++ b/include/net/tls.h @@ -427,7 +427,7 @@ static inline bool is_tx_ready(struct tls_sw_context_tx *ctx) { struct tls_rec *rec;
- rec = list_first_entry(&ctx->tx_list, struct tls_rec, list); + rec = list_first_entry_or_null(&ctx->tx_list, struct tls_rec, list); if (!rec) return false;
linux-stable-mirror@lists.linaro.org
-
Nikita Zhandarovich