tls: Avoid copying crypto_info again after cipher_type check.

commit 196c31b4b54474b31dee3c30352c45c2a93e9226 upstream.

Avoid copying crypto_info again after cipher_type check
to avoid a TOCTOU exploits.
The temporary array on the stack is removed as we don't really need it

Fixes: 3c4d7559159b ('tls: kernel TLS support')
Signed-off-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.14: Preserve changes made by earlier backports of
 "tls: return -EBUSY if crypto_info is already set" and "tls: zero the
 crypto information from tls_context before freeing"]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index b5f9c578bcf0995dec6b870898e8319c0f726efa..f88df514ad5fcb9c793dc77be246bd8abb46eb16 100644 (file)
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -381,7 +381,7 @@ static int tls_getsockopt(struct sock *sk, int level, int optname,
 static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
                                unsigned int optlen)
 {
-       struct tls_crypto_info *crypto_info, tmp_crypto_info;
+       struct tls_crypto_info *crypto_info;
        struct tls_context *ctx = tls_get_ctx(sk);
        int rc = 0;
        int tx_conf;
@@ -391,38 +391,33 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
                goto out;
        }
 
-       rc = copy_from_user(&tmp_crypto_info, optval, sizeof(*crypto_info));
+       crypto_info = &ctx->crypto_send.info;
+       /* Currently we don't support set crypto info more than one time */
+       if (TLS_CRYPTO_INFO_READY(crypto_info)) {
+               rc = -EBUSY;
+               goto out;
+       }
+
+       rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
        if (rc) {
                rc = -EFAULT;
                goto out;
        }
 
        /* check version */
-       if (tmp_crypto_info.version != TLS_1_2_VERSION) {
+       if (crypto_info->version != TLS_1_2_VERSION) {
                rc = -ENOTSUPP;
-               goto out;
-       }
-
-       /* get user crypto info */
-       crypto_info = &ctx->crypto_send.info;
-
-       /* Currently we don't support set crypto info more than one time */
-       if (TLS_CRYPTO_INFO_READY(crypto_info)) {
-               rc = -EBUSY;
-               goto out;
+               goto err_crypto_info;
        }
 
-       switch (tmp_crypto_info.cipher_type) {
+       switch (crypto_info->cipher_type) {
        case TLS_CIPHER_AES_GCM_128: {
                if (optlen != sizeof(struct tls12_crypto_info_aes_gcm_128)) {
                        rc = -EINVAL;
                        goto err_crypto_info;
                }
-               rc = copy_from_user(
-                 crypto_info,
-                 optval,
-                 sizeof(struct tls12_crypto_info_aes_gcm_128));
-
+               rc = copy_from_user(crypto_info + 1, optval + sizeof(*crypto_info),
+                                   optlen - sizeof(*crypto_info));
                if (rc) {
                        rc = -EFAULT;
                        goto err_crypto_info;