[SRU][J][PULL] Fixes for CVE-2024-2658{3,4,5}

Juerg Haefliger juerg.haefliger at canonical.com
Thu Mar 28 15:47:13 UTC 2024 

[ Impact ]

CVE-2024-26583 (https://ubuntu.com/security/CVE-2024-26583)
CVE-2024-26584 (https://ubuntu.com/security/CVE-2024-26584)
CVE-2024-26585 (https://ubuntu.com/security/CVE-2024-26585)

[ Test case ]

1) Enable async crypto:
    $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
2) Enable TLS function tracing:
    $ echo function_graph > /sys/kernel/tracing/current_tracer
    $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
3) Run TLS kernel selftests from v6.8:
    $ ./linux-6.8/tools/testing/selftests/net/tls
4) Verify:
    - No call traces in the kernel log
    - All modified TLS functions were called
    - No additional unexpected TLS test failures

[ Where problems could occur ]

Modifications are all limited to the tls module so only applications
that use kernel TLS might suffer.

[ Notes ]

1) 5.15 is not vulnerable to CVE-2024-26582
2) All CVEs are fixed by a single upstream patches so the fixes are
   all rolled into a single PR as well
3) The first 19 patches are stable patches from linux-5.15.y

Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>

--------

The following changes since commit b0a254efaa61343ba139c20ccb06f89cc3674647:

  UBUNTU: Ubuntu-5.15.0-102.112 (2024-03-05 17:28:50 +0100)

are available in the Git repository at:

  https://git.launchpad.net/~juergh/+git/linux CVE-2024-26584/jammy

for you to fetch changes up to 7b6f7bb902be61dcda8b4cd787ec5a56ced93189:

  net: tls: handle backlogging of crypto requests (2024-03-28 12:10:00 +0100)

----------------------------------------------------------------
Gal Pressman (1):
      Revert "tls: rx: move counting TlsDecryptErrors for sync"

Jakub Kicinski (24):
      tls: rx: jump to a more appropriate label
      tls: rx: drop pointless else after goto
      tls: rx: don't store the record type in socket context
      tls: rx: don't store the decryption status in socket context
      tls: rx: don't issue wake ups when data is decrypted
      tls: rx: refactor decrypt_skb_update()
      tls: hw: rx: use return value of tls_device_decrypted() to carry status
      tls: rx: drop unnecessary arguments from tls_setup_from_iter()
      tls: rx: don't report text length from the bowels of decrypt
      tls: rx: wrap decryption arguments in a structure
      tls: rx: factor out writing ContentType to cmsg
      tls: rx: don't track the async count
      tls: rx: move counting TlsDecryptErrors for sync
      tls: rx: assume crypto always calls our callback
      tls: rx: use async as an in-out argument
      net: tls: fix async vs NIC crypto offload
      tls: rx: simplify async wait
      tls: rx: return the already-copied data on crypto error
      tls: rx: allow only one reader at a time
      tls: rx: release the sock lock on locking timeout
      net: tls: factor out tls_*crypt_async_wait()
      tls: fix race between async notify and socket close
      tls: fix race between tx work scheduling and socket close
      net: tls: handle backlogging of crypto requests

Sabrina Dubroca (3):
      tls: stop recv() if initial process_rx_list gave us non-DATA
      tls: decrement decrypt_pending if no async completion will be called
      tls: extract context alloc/initialization out of tls_set_sw_offload

 include/net/strparser.h |   4 +
 include/net/tls.h       |  20 +-
 net/tls/tls_device.c    |   6 +-
 net/tls/tls_sw.c        | 600 ++++++++++++++++++++++++++----------------------
 4 files changed, 334 insertions(+), 296 deletions(-)

More information about the kernel-team mailing list