ACK: [SRU][F][PULL] Fixes for CVE-2024-2658{3,4,5}

Manuel Diewald manuel.diewald at canonical.com
Tue Jun 18 14:12:11 UTC 2024 

On Thu, Jun 13, 2024 at 10:58:55AM +0200, Juerg Haefliger wrote:
> [ Impact ]
> 
> CVE-2024-26583 (https://ubuntu.com/security/CVE-2024-26583)
> CVE-2024-26584 (https://ubuntu.com/security/CVE-2024-26584)
> CVE-2024-26585 (https://ubuntu.com/security/CVE-2024-26585)
> 
> [ Test case ]
> 
> 1) Enable async crypto:
>     $ modprobe tcrypt alg="pcrypt(generic-gcm-aesni)" type=3
> 2) Enable TLS function tracing:
>     $ echo function_graph > /sys/kernel/tracing/current_tracer
>     $ echo 'tls_*:mod:tls' > /sys/kernel/tracing/set_ftrace_filter
> 3) Run TLS kernel selftests from v6.9:
>     $ ./linux-6.9/tools/testing/selftests/net/tls
> 4) Verify:
>     - No call traces in the kernel log
>     - All modified TLS functions are called
>     - No additional unexpected TLS test failures
> 
> [ Where problems could occur ]
> 
> Modifications are all limited to the tls module so only applications
> that use kernel TLS might suffer.
> 
> [ Notes ]
> 
> 1) 5.4 is not vulnerable to CVE-2024-26582
> 2) All CVEs are fixed by a single upstream patchset so the fixes are
>    all rolled into a single PR as well
> 
> Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
> 
> --------
> 
> The following changes since commit fdd8899124cc0797d48181a93c326945146bf907:
> 
>   UBUNTU: Ubuntu-5.4.0-186.206 (2024-04-26 14:01:17 +0200)
> 
> are available in the Git repository at:
> 
>   https://git.launchpad.net/~juergh/+git/linux focal/linux/CVE-2024-2658x
> 
> for you to fetch changes up to d4b78e4da316d5964a298c128ee0e849111d3cbe:
> 
>   tls: fix race between tx work scheduling and socket close (2024-06-10 15:42:37 +0200)
> 
> ----------------------------------------------------------------
> Jakub Kicinski (22):
>       tls: splice_read: fix record type check
>       tls: splice_read: fix accessing pre-processed records
>       net/tls: pass context to tls_device_decrypted()
>       net: tls: avoid discarding data on record close
>       tls: rx: don't store the record type in socket context
>       tls: rx: don't store the decryption status in socket context
>       tls: rx: don't issue wake ups when data is decrypted
>       tls: rx: refactor decrypt_skb_update()
>       tls: hw: rx: use return value of tls_device_decrypted() to carry status
>       tls: rx: drop unnecessary arguments from tls_setup_from_iter()
>       tls: rx: don't report text length from the bowels of decrypt
>       tls: rx: wrap decryption arguments in a structure
>       tls: rx: factor out writing ContentType to cmsg
>       tls: rx: don't track the async count
>       tls: rx: assume crypto always calls our callback
>       tls: rx: use async as an in-out argument
>       net: tls: fix async vs NIC crypto offload
>       tls: rx: simplify async wait
>       net: tls: factor out tls_*crypt_async_wait()
>       tls: fix race between async notify and socket close
>       net: tls: handle backlogging of crypto requests
>       tls: fix race between tx work scheduling and socket close
> 
> Jim Ma (1):
>       tls splice: remove inappropriate flags checking for MSG_PEEK
> 
> Maxim Mikityanskiy (4):
>       net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
>       net/tls: Fix use-after-free after the TLS device goes down and up
>       tls: Fix context leak on tls_device_down
>       net/tls: Remove the context from the list in tls_device_down
> 
> Sabrina Dubroca (2):
>       tls: decrement decrypt_pending if no async completion will be called
>       tls: extract context alloc/initialization out of tls_set_sw_offload
> 
> Tariq Toukan (3):
>       net/tls: Check for errors in tls_device_init
>       net/tls: Perform immediate device ctx cleanup when possible
>       net/tls: Multi-threaded calls to TX tls_dev_del
> 
>  include/net/strparser.h       |   4 +
>  include/net/tls.h             |  40 ++--
>  net/tls/tls_device.c          | 210 ++++++++++------
>  net/tls/tls_device_fallback.c |   7 +
>  net/tls/tls_main.c            |   9 +-
>  net/tls/tls_sw.c              | 543 +++++++++++++++++++++---------------------
>  6 files changed, 442 insertions(+), 371 deletions(-)
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

The three fix commits seem to require a lot of dependent commits that
landed in stable earlier, so this PR is quite big compared to the
upstream patchset that contains fixes for these particular
vulnerabilities. The testing that was performed looks solid to me,
though. With that in mind, +1.

Acked-by: Manuel Diewald <manuel.diewald at canonical.com>

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240618/8a6468d7/attachment.sig>

More information about the kernel-team mailing list