Commit ecb45e2a authored by Sabrina Dubroca's avatar Sabrina Dubroca Committed by Treehugger Robot
Browse files

UPSTREAM: net: tls: fix use-after-free with partial reads and async decrypt 



[ Upstream commit 32b55c5f ]

tls_decrypt_sg doesn't take a reference on the pages from clear_skb,
so the put_page() in tls_decrypt_done releases them, and we trigger
a use-after-free in process_rx_list when we try to read from the
partially-read skb.

Bug: 326214405
Fixes: fd31f399 ("tls: rx: decrypt into a fresh skb")
Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Reviewed-by: default avatarSimon Horman <horms@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit d6847635)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Ifdd765d0af082523d1432436b6f6d2c094c48dca
parent 1dbafe61
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment