From nobody Mon Mar 18 17:08:46 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tz1Xb0Glpz5F6BY; Mon, 18 Mar 2024 17:08:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tz1XZ6ZGjz4qHv; Mon, 18 Mar 2024 17:08:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710781726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V7AvkNLxULPWPegJtKYoJlpl/ec6YyaCWOmk2HaoiDg=; b=s/Kyfv3oP91uFLsKRDnt0CMpbdgvRciagrYZJ4eyj7RiuqLs1oYNME5YBPfWjurs7gEROQ FwAIScFGJALFNhPB7jwT7KfL9ub939qJT8D4kZRzAzx987YOX6mCN5k5AZ9odsEw++kSau LqpAid88OqBMQH8NOWIlaf84cOMghQaCWwBtDfC9jDtVHDu54fmbVbWjyCEVwzbfftk751 wcF/AFIBWilaPx1EkK/8PW6bcvMMrehQZ3MPxDDueXx53gj9GBTzulVguKb4o4a7REW1yC uhkZnyY5jLkY0TnjQ+4TrF34VSuxdmDOg6xgxbOPzidNbq/2a4xBYrd/n7yFOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710781726; a=rsa-sha256; cv=none; b=EawwrHYSExfkIKJJOEdZ+1w5QqxzGV+43RpsAS6PxIYWykKaPwkOsenU/wHGor+1gzUO1H jFKKgmkyS0r4DDqqzVUd2MT+fkd6kbC2tgR5q/kqBKUivGIr6o0iA3ox3Cz5zUoGur8+yy 8XzuPTc95LT2EfsMNohwOSfCqrs3TsRfn/H0q3PbKP/zHuqQyDkYgyzSVob49Mz5zqmVgk P7FyCw6ca67YJcv+Gwxq5wm9Gia0qstjb/kzMlNIdkiXMf3FXc4EHYoB+BqYC34lXSslvD wDNVf5wgCHJE7K+q23z4jaPGCifa6GX9lSrJ0KL52mYwkRFBB9Tk4Tp5Jd+6NA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710781726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=V7AvkNLxULPWPegJtKYoJlpl/ec6YyaCWOmk2HaoiDg=; b=cWTiPbZzxL/iYzcnm7B/akYZ0aE2HxrHgl8VMu25ekTHBPuvMAom3kJgbMBTxvk7Ryf7I3 7RU7BPJ8GR79i8RZGWCPZKT5DqD8yMiYRQBvs8XwZ8YopYQaXcdxuivs59WTtVLwXmr7+z oRv6prNOF5yJbJf9LrHRHtI7QSd9biGSsF5XlaVnooQ7r8dEgQhm42kpJFXWmCT9tYt9mQ D3iNmCwX4Hsl/rZA2Pf0nrc7PwunYsbz5vwVVnYxQhinEJKGMAMqD3bsevUYdzqL5HZNs/ ap1CWvKnt/5uKH3z7e5Ovj/c4U5G+UHdSHSo9hIQZ6abWUjdywZ0Sxw/Q2aHVw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tz1XZ63R2zX2Y; Mon, 18 Mar 2024 17:08:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42IH8kO3023272; Mon, 18 Mar 2024 17:08:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42IH8kwv023269; Mon, 18 Mar 2024 17:08:46 GMT (envelope-from git) Date: Mon, 18 Mar 2024 17:08:46 GMT Message-Id: <202403181708.42IH8kwv023269@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Richard Scheffenegger Subject: git: b5a9299bb8b9 - main - ktls: catch invalid parameters earlier List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rscheff X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b5a9299bb8b9f1b0190899c93e0dc923b5b48343 Auto-Submitted: auto-generated The branch main has been updated by rscheff: URL: https://cgit.FreeBSD.org/src/commit/?id=b5a9299bb8b9f1b0190899c93e0dc923b5b48343 commit b5a9299bb8b9f1b0190899c93e0dc923b5b48343 Author: Richard Scheffenegger AuthorDate: 2024-03-18 01:55:59 +0000 Commit: Richard Scheffenegger CommitDate: 2024-03-18 02:37:49 +0000 ktls: catch invalid parameters earlier Move safety checks forward from ktls_session_create() to ktls_copyin_tls_enable(). Prevents zero mallocs, and excessively large kernel mallocs. Reported-by: syzbot+72022fa9163fa958b66c@syzkaller.appspotmail.com Reported-by: syzbot+8992893e13058ce0670a@syzkaller.appspotmail.com Sponsored by: NetApp, Inc. X-NetApp-PR: #79 Reviewed By: tuexen Differential Revision: https://reviews.freebsd.org/D44364 --- sys/kern/uipc_ktls.c | 69 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 41 insertions(+), 28 deletions(-) diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c index df296090ec97..fd1bc7bf8bfe 100644 --- a/sys/kern/uipc_ktls.c +++ b/sys/kern/uipc_ktls.c @@ -329,7 +329,18 @@ ktls_copyin_tls_enable(struct sockopt *sopt, struct tls_enable *tls) error = sooptcopyin(sopt, tls, sizeof(*tls), sizeof(*tls)); if (error != 0) - goto done; + return (error); + + if (tls->cipher_key_len < 0 || tls->cipher_key_len > TLS_MAX_PARAM_SIZE) + return (EINVAL); + if (tls->iv_len < 0 || tls->iv_len > sizeof(((struct ktls_session *)NULL)->params.iv)) + return (EINVAL); + if (tls->auth_key_len < 0 || tls->auth_key_len > TLS_MAX_PARAM_SIZE) + return (EINVAL); + + /* All supported algorithms require a cipher key. */ + if (tls->cipher_key_len == 0) + return (EINVAL); /* * Now do a deep copy of the variable-length arrays in the struct, so that @@ -338,23 +349,35 @@ ktls_copyin_tls_enable(struct sockopt *sopt, struct tls_enable *tls) * error paths so that our caller need only worry about outstanding * allocations existing on successful return. */ - cipher_key = malloc(tls->cipher_key_len, M_KTLS, M_WAITOK); - iv = malloc(tls->iv_len, M_KTLS, M_WAITOK); - auth_key = malloc(tls->auth_key_len, M_KTLS, M_WAITOK); - if (sopt->sopt_td != NULL) { - error = copyin(tls->cipher_key, cipher_key, tls->cipher_key_len); - if (error != 0) - goto done; - error = copyin(tls->iv, iv, tls->iv_len); - if (error != 0) - goto done; - error = copyin(tls->auth_key, auth_key, tls->auth_key_len); - if (error != 0) - goto done; - } else { - bcopy(tls->cipher_key, cipher_key, tls->cipher_key_len); - bcopy(tls->iv, iv, tls->iv_len); - bcopy(tls->auth_key, auth_key, tls->auth_key_len); + if (tls->cipher_key_len != 0) { + cipher_key = malloc(tls->cipher_key_len, M_KTLS, M_WAITOK); + if (sopt->sopt_td != NULL) { + error = copyin(tls->cipher_key, cipher_key, tls->cipher_key_len); + if (error != 0) + goto done; + } else { + bcopy(tls->cipher_key, cipher_key, tls->cipher_key_len); + } + } + if (tls->iv_len != 0) { + iv = malloc(tls->iv_len, M_KTLS, M_WAITOK); + if (sopt->sopt_td != NULL) { + error = copyin(tls->iv, iv, tls->iv_len); + if (error != 0) + goto done; + } else { + bcopy(tls->iv, iv, tls->iv_len); + } + } + if (tls->auth_key_len != 0) { + auth_key = malloc(tls->auth_key_len, M_KTLS, M_WAITOK); + if (sopt->sopt_td != NULL) { + error = copyin(tls->auth_key, auth_key, tls->auth_key_len); + if (error != 0) + goto done; + } else { + bcopy(tls->auth_key, auth_key, tls->auth_key_len); + } } tls->cipher_key = cipher_key; tls->iv = iv; @@ -586,16 +609,6 @@ ktls_create_session(struct socket *so, struct tls_enable *en, en->tls_vminor > TLS_MINOR_VER_THREE) return (EINVAL); - if (en->auth_key_len < 0 || en->auth_key_len > TLS_MAX_PARAM_SIZE) - return (EINVAL); - if (en->cipher_key_len < 0 || en->cipher_key_len > TLS_MAX_PARAM_SIZE) - return (EINVAL); - if (en->iv_len < 0 || en->iv_len > sizeof(tls->params.iv)) - return (EINVAL); - - /* All supported algorithms require a cipher key. */ - if (en->cipher_key_len == 0) - return (EINVAL); /* No flags are currently supported. */ if (en->flags != 0)