kernel fault when decrypting to user buffer

[lancerchao]

If a client makes a syscall like this:

char recv_mem[1000];
recv(fd, recv_mem, TLS_MAX_PAYLOAD_LENGTH, 0);

And the decryption is done straight to user memory (the else{} in tls_recvmsg) a kernel fault is triggered
http://pastebin.com/XjGu0dHx

[fridex]

I suppose that it occurs with TLS.

[lancerchao]

The kernel has to validate user buffers before accessing them. copy_page_to_iter does this for you, but the decryption api does not.

[lancerchao]

Tests available here.
https://github.com/ktls/af_ktls-test/blob/a84cbb8749505c0747859abe9e8c7c1a9ccb6416/tests.cpp#L483-L561

[fridex]

why was this issue closed?

[lancerchao]

Patch is available here.
[https://github.com/lancerchao/af_ktls/commit/fe9c547c39a46587324aabcee2894571b3897849]

Btw, it is not necessary in ktls with revamped buffer management since those keep decrypted data in skbuffs and never decrypts straight to user memory.

[fridex]

I will take a look at your implementation ASAP.

Not to forget about this, reopening since fix is not available in ktls/af_ktls master.

[djwatson]

Fixed, no longer needed now that using skbs