diff options
| author | Olga Kornievskaia <[email protected]> | 2025-07-31 18:00:56 +0000 |
|---|---|---|
| committer | Trond Myklebust <[email protected]> | 2025-08-03 19:45:47 +0000 |
| commit | cc5d59081fa26506d02de2127ab822f40d88bc5a (patch) | |
| tree | 7942f2017cd6f0482169d46937675b1251fb5145 /net/unix/af_unix.c | |
| parent | nfs/localio: use read_seqbegin() rather than read_seqbegin_or_lock() (diff) | |
| download | kernel-cc5d59081fa26506d02de2127ab822f40d88bc5a.tar.gz kernel-cc5d59081fa26506d02de2127ab822f40d88bc5a.zip | |
sunrpc: fix client side handling of tls alerts
A security exploit was discovered in NFS over TLS in tls_alert_recv
due to its assumption that there is valid data in the msghdr's
iterator's kvec.
Instead, this patch proposes the rework how control messages are
setup and used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a kvec
backed control buffer and read in the control message such as a TLS
alert. Scott found that a msg iterator can advance the kvec pointer
as a part of the copy process thus we need to revert the iterator
before calling into the tls_alert_recv.
Fixes: dea034b963c8 ("SUNRPC: Capture CMSG metadata on client-side receive")
Suggested-by: Trond Myklebust <[email protected]>
Suggested-by: Scott Mayhew <[email protected]>
Signed-off-by: Olga Kornievskaia <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Trond Myklebust <[email protected]>
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions