ktls / af_ktls

Linux Kernel TLS/DTLS Module
GNU General Public License v2.0
159 stars 25 forks source link

kernel fault when decrypting to user buffer #56

Closed lancerchao closed 8 years ago

lancerchao commented 8 years ago

If a client makes a syscall like this:

char recv_mem[1000];
recv(fd, recv_mem, TLS_MAX_PAYLOAD_LENGTH, 0);

And the decryption is done straight to user memory (the else{} in tls_recvmsg) a kernel fault is triggered http://pastebin.com/XjGu0dHx

fridex commented 8 years ago

I suppose that it occurs with TLS.

lancerchao commented 8 years ago

The kernel has to validate user buffers before accessing them. copy_page_to_iter does this for you, but the decryption api does not.

lancerchao commented 8 years ago

Tests available here. https://github.com/ktls/af_ktls-test/blob/a84cbb8749505c0747859abe9e8c7c1a9ccb6416/tests.cpp#L483-L561

fridex commented 8 years ago

why was this issue closed?

lancerchao commented 8 years ago

Patch is available here. [https://github.com/lancerchao/af_ktls/commit/fe9c547c39a46587324aabcee2894571b3897849]

Btw, it is not necessary in ktls with revamped buffer management since those keep decrypted data in skbuffs and never decrypts straight to user memory.

fridex commented 8 years ago

I will take a look at your implementation ASAP.

Not to forget about this, reopening since fix is not available in ktls/af_ktls master.

djwatson commented 8 years ago

Fixed, no longer needed now that using skbs