Skip to content

Commit 1eda239

Browse files
committed
tls: adjust recv return with async crypto and failed copy to userspace
jira VULN-136508 cve-pre CVE-2025-39682 commit-author Sabrina Dubroca <sd@queasysnail.net> commit 85eef9a process_rx_list may not copy as many bytes as we want to the userspace buffer, for example in case we hit an EFAULT during the copy. If this happens, we should only count the bytes that were actually copied, which may be 0. Subtracting async_copy_bytes is correct in both peek and !peek cases, because decrypted == async_copy_bytes + peeked for the peek case: peek is always !ZC, and we can go through either the sync or async path. In the async case, we add chunk to both decrypted and async_copy_bytes. In the sync case, we add chunk to both decrypted and peeked. I missed that in commit 6caaf10 ("tls: fix peeking with sync+async decryption"). Fixes: 4d42cd6 ("tls: rx: fix return value for async crypto") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/1b5a1eaab3c088a9dd5d9f1059ceecd7afe888d1.1711120964.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 85eef9a) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
1 parent f6252d7 commit 1eda239

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

net/tls/tls_sw.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2180,6 +2180,9 @@ int tls_sw_recvmsg(struct sock *sk,
21802180
else
21812181
err = process_rx_list(ctx, msg, &control, 0,
21822182
async_copy_bytes, is_peek, NULL);
2183+
2184+
/* we could have copied less than we wanted, and possibly nothing */
2185+
decrypted += max(err, 0) - async_copy_bytes;
21832186
}
21842187

21852188
copied += decrypted;

0 commit comments

Comments
 (0)