Cmnt: [SRU][J][PULL] Fixes for CVE-2024-2658{3,4,5}

Juerg Haefliger juerg.haefliger at canonical.com
Tue Apr 2 14:52:35 UTC 2024 

On Tue, 2 Apr 2024 15:46:27 +1000
Portia Stephens <portia.stephens at canonical.com> wrote:

> On Thu, Mar 28, 2024 at 04:47:13PM +0100, Juerg Haefliger wrote:
> > [ Impact ]
> > 
> > CVE-2024-26583 (https://ubuntu.com/security/CVE-2024-26583)
> > CVE-2024-26584 (https://ubuntu.com/security/CVE-2024-26584)
> > CVE-2024-26585 (https://ubuntu.com/security/CVE-2024-26585)
> > 
> > [ Test case ]
> > 
> > 1) Enable async crypto:
> >     $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
> > 2) Enable TLS function tracing:
> >     $ echo function_graph > /sys/kernel/tracing/current_tracer
> >     $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
> > 3) Run TLS kernel selftests from v6.8:
> >     $ ./linux-6.8/tools/testing/selftests/net/tls
> > 4) Verify:
> >     - No call traces in the kernel log
> >     - All modified TLS functions were called
> >     - No additional unexpected TLS test failures
> > 
> > [ Where problems could occur ]
> > 
> > Modifications are all limited to the tls module so only applications
> > that use kernel TLS might suffer.
> > 
> > [ Notes ]
> > 
> > 1) 5.15 is not vulnerable to CVE-2024-26582
> > 2) All CVEs are fixed by a single upstream patches so the fixes are
> >    all rolled into a single PR as well
> > 3) The first 19 patches are stable patches from linux-5.15.y
> > 
> > Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
> > 
> > --------
> > 
> > The following changes since commit b0a254efaa61343ba139c20ccb06f89cc3674647:
> > 
> >   UBUNTU: Ubuntu-5.15.0-102.112 (2024-03-05 17:28:50 +0100)
> > 
> > are available in the Git repository at:
> > 
> >   https://git.launchpad.net/~juergh/+git/linux CVE-2024-26584/jammy
> > 
> > for you to fetch changes up to 7b6f7bb902be61dcda8b4cd787ec5a56ced93189:
> > 
> >   net: tls: handle backlogging of crypto requests (2024-03-28 12:10:00 +0100)
> > 
> > ----------------------------------------------------------------
> > Gal Pressman (1):
> >       Revert "tls: rx: move counting TlsDecryptErrors for sync"
> > 
> > Jakub Kicinski (24):
> >       tls: rx: jump to a more appropriate label
> >       tls: rx: drop pointless else after goto
> >       tls: rx: don't store the record type in socket context
> >       tls: rx: don't store the decryption status in socket context
> >       tls: rx: don't issue wake ups when data is decrypted
> >       tls: rx: refactor decrypt_skb_update()
> >       tls: hw: rx: use return value of tls_device_decrypted() to carry status
> >       tls: rx: drop unnecessary arguments from tls_setup_from_iter()
> >       tls: rx: don't report text length from the bowels of decrypt
> >       tls: rx: wrap decryption arguments in a structure
> >       tls: rx: factor out writing ContentType to cmsg
> >       tls: rx: don't track the async count
> >       tls: rx: move counting TlsDecryptErrors for sync  
> 
> What is the point of including this patch when it is reverted in the same
> pull request?

Nice catch! But without it, all the patches between this and its revert won't
cherry-pick cleanly. It's a lot of work to fix them all up, so easier to just
add it and revert it later so that they're all clean cherry-picks.

...Juerg

 
> >       tls: rx: assume crypto always calls our callback
> >       tls: rx: use async as an in-out argument
> >       net: tls: fix async vs NIC crypto offload
> >       tls: rx: simplify async wait
> >       tls: rx: return the already-copied data on crypto error
> >       tls: rx: allow only one reader at a time
> >       tls: rx: release the sock lock on locking timeout
> >       net: tls: factor out tls_*crypt_async_wait()
> >       tls: fix race between async notify and socket close
> >       tls: fix race between tx work scheduling and socket close
> >       net: tls: handle backlogging of crypto requests
> > 
> > Sabrina Dubroca (3):
> >       tls: stop recv() if initial process_rx_list gave us non-DATA
> >       tls: decrement decrypt_pending if no async completion will be called
> >       tls: extract context alloc/initialization out of tls_set_sw_offload
> > 
> >  include/net/strparser.h |   4 +
> >  include/net/tls.h       |  20 +-
> >  net/tls/tls_device.c    |   6 +-
> >  net/tls/tls_sw.c        | 600 ++++++++++++++++++++++++++----------------------
> >  4 files changed, 334 insertions(+), 296 deletions(-)
> > 
> > -- 
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240402/d2cc6c87/attachment-0001.sig>

More information about the kernel-team mailing list