• Jakub Kicinski's avatar
    net/tls: prevent skb_orphan() from leaking TLS plain text with offload · bc110443
    Jakub Kicinski authored
    [ Upstream commit 41477662 ]
    
    sk_validate_xmit_skb() and drivers depend on the sk member of
    struct sk_buff to identify segments requiring encryption.
    Any operation which removes or does not preserve the original TLS
    socket such as skb_orphan() or skb_clone() will cause clear text
    leaks.
    
    Make the TCP socket underlying an offloaded TLS connection
    mark all skbs as decrypted, if TLS TX is in offload mode.
    Then in sk_validate_xmit_skb() catch skbs which have no socket
    (or a socket with no validation) and decrypted flag set.
    
    Note that CONFIG_SOCK_VALIDATE_XMIT, CONFIG_TLS_DEVICE and
    sk->sk_validate_xmit_skb are slightly interchangeable right now,
    they all imply TLS offload. The new checks are guarded by
    CONFIG_TLS_DEVICE because that's the option guarding the
    sk_buff->decrypted member.
    
    Second, smaller issue with orphaning is that it breaks
    the guarantee that packets will be delivered to device
    queues in-order. All TLS offload drivers depend on that
    scheduling property. This means skb_orphan_partial()'s
    trick of preserving partial socket references will cause
    issues in the drivers. We need a full orphan, and as a
    result netem delay/throttling will cause all TLS offload
    skbs to be dropped.
    
    Reusing the sk_buff->decrypted flag also protects from
    leaking clear text when incoming, decrypted skb is redirected
    (e.g. by TC).
    
    See commit 0608c69c ("bpf: sk_msg, sock{map|hash} redirect
    through ULP") for justification why the internal flag is safe.
    The only location which could leak the flag in is tcp_bpf_sendmsg(),
    which is taken care of by clearing the previously unused bit.
    
    v2:
     - remove superfluous decrypted mark copy (Willem);
     - remove the stale doc entry (Boris);
     - rely entirely on EOR marking to prevent coalescing (Boris);
     - use an internal sendpages flag instead of marking the socket
       (Boris).
    v3 (Willem):
     - reorganize the can_skb_orphan_partial() condition;
     - fix the flag leak-in through tcp_bpf_sendmsg.
    Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
    Acked-by: default avatarWillem de Bruijn <willemb@google.com>
    Reviewed-by: default avatarBoris Pismenny <borisp@mellanox.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    bc110443
Name
Last commit
Last update
..
caif Loading commit data...
device_drivers Loading commit data...
dsa Loading commit data...
mac80211_hwsim Loading commit data...
6lowpan.txt Loading commit data...
6pack.txt Loading commit data...
PLIP.txt Loading commit data...
af_xdp.rst Loading commit data...
alias.rst Loading commit data...
altera_tse.txt Loading commit data...
arcnet-hardware.txt Loading commit data...
arcnet.txt Loading commit data...
atm.txt Loading commit data...
ax25.txt Loading commit data...
batman-adv.rst Loading commit data...
baycom.txt Loading commit data...
bonding.txt Loading commit data...
bridge.rst Loading commit data...
can.rst Loading commit data...
can_ucan_protocol.rst Loading commit data...
cdc_mbim.txt Loading commit data...
checksum-offloads.rst Loading commit data...
conf.py Loading commit data...
cops.txt Loading commit data...
cxacru-cf.py Loading commit data...
cxacru.txt Loading commit data...
dccp.txt Loading commit data...
dctcp.txt Loading commit data...
decnet.txt Loading commit data...
defza.txt Loading commit data...
devlink-health.txt Loading commit data...
devlink-info-versions.rst Loading commit data...
devlink-params-bnxt.txt Loading commit data...
devlink-params-mlxsw.txt Loading commit data...
devlink-params.txt Loading commit data...
dns_resolver.txt Loading commit data...
driver.txt Loading commit data...
eql.txt Loading commit data...
failover.rst Loading commit data...
fib_trie.txt Loading commit data...
filter.txt Loading commit data...
fore200e.txt Loading commit data...
framerelay.txt Loading commit data...
gen_stats.txt Loading commit data...
generic-hdlc.txt Loading commit data...
generic_netlink.txt Loading commit data...
gtp.txt Loading commit data...
hinic.txt Loading commit data...
ieee802154.rst Loading commit data...
ila.txt Loading commit data...
index.rst Loading commit data...
ip-sysctl.txt Loading commit data...
ip_dynaddr.txt Loading commit data...
ipddp.txt Loading commit data...
iphase.txt Loading commit data...
ipsec.txt Loading commit data...
ipv6.txt Loading commit data...
ipvlan.txt Loading commit data...
ipvs-sysctl.txt Loading commit data...
kapi.rst Loading commit data...
kcm.txt Loading commit data...
l2tp.txt Loading commit data...
lapb-module.txt Loading commit data...
ltpc.txt Loading commit data...
mac80211-auth-assoc-deauth.txt Loading commit data...
mac80211-injection.txt Loading commit data...
mpls-sysctl.txt Loading commit data...
msg_zerocopy.rst Loading commit data...
multiqueue.txt Loading commit data...
net_dim.txt Loading commit data...
net_failover.rst Loading commit data...
netconsole.txt Loading commit data...
netdev-FAQ.rst Loading commit data...
netdev-features.txt Loading commit data...
netdevices.txt Loading commit data...
netfilter-sysctl.txt Loading commit data...
netif-msg.txt Loading commit data...
nf_conntrack-sysctl.txt Loading commit data...
nf_flowtable.txt Loading commit data...
nfc.txt Loading commit data...
openvswitch.txt Loading commit data...
operstates.txt Loading commit data...
packet_mmap.txt Loading commit data...
phonet.txt Loading commit data...
phy.rst Loading commit data...
pktgen.txt Loading commit data...
ppp_generic.txt Loading commit data...
proc_net_tcp.txt Loading commit data...
radiotap-headers.txt Loading commit data...
ray_cs.txt Loading commit data...
rds.txt Loading commit data...
regulatory.txt Loading commit data...
rxrpc.txt Loading commit data...
scaling.rst Loading commit data...
sctp.txt Loading commit data...
secid.txt Loading commit data...
seg6-sysctl.txt Loading commit data...
segmentation-offloads.rst Loading commit data...
sfp-phylink.rst Loading commit data...
skfp.txt Loading commit data...
snmp_counter.rst Loading commit data...
strparser.txt Loading commit data...
switchdev.txt Loading commit data...
tc-actions-env-rules.txt Loading commit data...
tcp-thin.txt Loading commit data...
team.txt Loading commit data...
timestamping.txt Loading commit data...
tls-offload-layers.svg Loading commit data...
tls-offload-reorder-bad.svg Loading commit data...
tls-offload-reorder-good.svg Loading commit data...
tls-offload.rst Loading commit data...
tls.rst Loading commit data...
tproxy.txt Loading commit data...
tuntap.txt Loading commit data...
udplite.txt Loading commit data...
vrf.txt Loading commit data...
vxlan.txt Loading commit data...
x25-iface.txt Loading commit data...
x25.txt Loading commit data...
xfrm_device.txt Loading commit data...
xfrm_proc.txt Loading commit data...
xfrm_sync.txt Loading commit data...
xfrm_sysctl.txt Loading commit data...
z8530book.rst Loading commit data...
z8530drv.txt Loading commit data...