diff options
| author | Olga Kornievskaia <[email protected]> | 2025-07-29 16:40:20 +0000 |
|---|---|---|
| committer | Chuck Lever <[email protected]> | 2025-08-06 13:57:50 +0000 |
| commit | bee47cb026e762841f3faece47b51f985e215edb (patch) | |
| tree | a9774c17f64771e812651bbfc5a4666244bbe4b7 /scripts/patch-kernel | |
| parent | nfsd: avoid ref leak in nfsd_open_local_fh() (diff) | |
| download | kernel-bee47cb026e762841f3faece47b51f985e215edb.tar.gz kernel-bee47cb026e762841f3faece47b51f985e215edb.zip | |
sunrpc: fix handling of server side tls alerts
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..
kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.
This patch proposes to rework how control messages are setup and
used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.
Reported-by: Scott Mayhew <[email protected]>
Fixes: 5e052dda121e ("SUNRPC: Recognize control messages in server-side TCP socket code")
Suggested-by: Trond Myklebust <[email protected]>
Cc: [email protected]
Signed-off-by: Olga Kornievskaia <[email protected]>
Signed-off-by: Chuck Lever <[email protected]>
Diffstat (limited to 'scripts/patch-kernel')
0 files changed, 0 insertions, 0 deletions