Olga Kornievskaia 6b33c31cc7 sunrpc: fix handling of server side tls alerts ... commit bee47cb026e762841f3faece47b51f985e215edb upstream. Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. Reported-by: Scott Mayhew <smayhew@redhat.com> Fixes: 5e052dda12 ("SUNRPC: Recognize control messages in server-side TCP socket code") Suggested-by: Trond Myklebust <trondmy@hammerspace.com> Cc: stable@vger.kernel.org Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-08-15 16:39:30 +02:00
..
auth_gss	sunrpc: fix loop in gss seqno cache	2025-06-23 11:01:15 -04:00
xprtrdma	svcrdma: Adjust the number of entries in svc_rdma_send_ctxt::sc_pages	2025-05-15 16:16:26 -04:00
.kunitconfig	SUNRPC: Remove RPCSEC_GSS_KRB5_ENCTYPES_DES	2023-08-29 17:45:22 -04:00
addr.c	net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()	2024-02-28 16:18:18 -05:00
auth_null.c
auth_tls.c	SUNRPC: Fail quickly when server does not recognize TLS	2023-09-27 15:16:40 -04:00
auth_unix.c
auth.c	sunrpc: simplify rpcauth_cache_shrink_count()	2025-02-07 16:53:04 +01:00
backchannel_rqst.c	SUNRPC: change the back-channel queue to lwq	2023-10-16 12:44:08 -04:00
cache.c	sunrpc: fix race in cache cleanup causing stale nextcheck time	2025-05-11 19:48:22 -04:00
clnt.c	sunrpc: don't immediately retransmit on seqno miss	2025-05-19 10:14:29 -04:00
debugfs.c	sunrpc: add netns inum and srcaddr to debugfs rpc_xprt info	2025-01-22 15:53:31 -05:00
fail.h
Kconfig	SUNRPC: Remove CONFIG_RPCSEC_GSS_KRB5_CRYPTOSYSTEM	2023-08-29 17:45:22 -04:00
Makefile
netns.h
rpc_pipe.c	Use try_lookup_noperm() instead of d_hash_and_lookup() outside of VFS	2025-04-08 11:24:41 +02:00
rpcb_clnt.c	SUNRPC: rpcbind should never reset the port to the value '0'	2025-03-26 12:17:38 -04:00
sched.c	SUNRPC: Don't allow waiting for exiting tasks	2025-03-28 16:37:57 -04:00
socklib.c
socklib.h
stats.c	sunrpc: use the struct net as the svc proc private	2024-03-01 09:12:09 -05:00
sunrpc_syms.c	net: fill in MODULE_DESCRIPTION()s for Sun RPC	2024-01-11 16:16:08 -08:00
sunrpc.h	SUNRPC: make various functions static, or not exported.	2024-09-01 10:04:56 -04:00
svc_xprt.c	treewide, timers: Rename from_timer() to timer_container_of()	2025-06-08 09:07:37 +02:00
svc.c	sunrpc: handle SVC_GARBAGE during svc auth processing as auth error	2025-06-19 09:35:45 -04:00
svcauth_unix.c	SUNRPC: replace program list with program array	2024-09-23 15:03:30 -04:00
svcauth.c	SUNRPC: add svcauth_map_clnt_to_svc_cred_local	2024-09-23 15:03:30 -04:00
svcsock.c	sunrpc: fix handling of server side tls alerts	2025-08-15 16:39:30 +02:00
sysctl.c	sysctl: treewide: constify the ctl_table argument of proc_handlers	2024-07-24 20:59:29 +02:00
sysfs.c	sunrpc: Add a sysfs file for one-step xprt deletion	2025-03-21 09:34:53 -04:00
sysfs.h
timer.c
xdr.c	SUNRPC: Export xdr_buf_to_bvec()	2025-05-15 16:16:24 -04:00
xprt.c	treewide, timers: Rename from_timer() to timer_container_of()	2025-06-08 09:07:37 +02:00
xprtmultipath.c	sunrpc: Add a sysfs file for adding a new xprt	2025-03-21 09:34:53 -04:00
xprtsock.c	sunrpc: fix client side handling of tls alerts	2025-08-15 16:39:26 +02:00