2.1 KiB
CVE-2021-47131
Description
In the Linux kernel, the following vulnerability has been resolved:net/tls: Fix use-after-free after the TLS device goes down and upWhen a netdev with active TLS offload goes down, tls_device_down iscalled to stop the offload and tear down the TLS context. However, thesocket stays alive, and it still points to the TLS context, which is nowdeallocated. If a netdev goes up, while the connection is still active,and the data flow resumes after a number of TCP retransmissions, it willlead to a use-after-free of the TLS context.This commit addresses this bug by keeping the context alive until itsnormal destruction, and implements the necessary fallbacks, so that theconnection can resume in software (non-offloaded) kTLS mode.On the TX side tls_sw_fallback is used to encrypt all packets. The RXside already has all the necessary fallbacks, because receivingnon-decrypted packets is supported. The thing needed on the RX side isto block resync requests, which are normally produced after receivingnon-decrypted packets.The necessary synchronization is implemented for a graceful teardown:first the fallbacks are deployed, then the driver resources are released(it used to be possible to have a tls_dev_resync after tls_dev_del).A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallbackmode. It's used to skip the RX resync logic completely, as it becomesuseless, and some objects may be released (for example, resync_async,which is allocated and freed by the driver).
POC
Reference
No PoCs from references.