| Message ID | b2f5120a3efa20c62a83397d96e949eac6a983df.1783336121.git.ralf@mandelbit.com |
|---|---|
| State | New |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:1887:b0:869:83bc:8c48 with SMTP id r7csp5321228max;
Mon, 6 Jul 2026 04:34:39 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
AHgh+Rov8bsC7TAB9PB+0TO1qGiicf5aDt0NrGyRX2DiUVFaqpsYFX2jBcHRxvANiWR2tZ/FOswlamlH0+c=@openvpn.net
X-Received: by 2002:a05:6870:3272:b0:448:4eb3:b87e with SMTP id
586e51a60fabf-44d182e9e19mr6218551fac.27.1783337679293;
Mon, 06 Jul 2026 04:34:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1783337679; cv=none;
d=google.com; s=arc-20260327;
b=d5ADKJe74tLqESV4WwJie1uwZkjsOxkS8MiU4Rev2G03IloBskf4bfT25gbUWdHFRW
q1thYna10JShaFAfAg5eeggGzIF5t/S+eZ8WUqnGQJoo4SwxTsGGgEaFkQS24SsqAQuh
pK/aIBgT4zPodcyQGq7tGlR8PILxyqoYAgNcbrg4tWH0YvrWP9Ygf2BEuK9tLAUjHwVK
MASRDU+rvap0BijEFpgUF2Mj6dZe5T7z9uN1e9BefqtpK/yCSMov8d3FJgqGWfKCz4hq
qul8ijNTYWStRHPwjhOupx6qDE0jgVGhSRIsLAjBTnnxC60kh2R8gVgUs5x8ri+9c2AK
Gucw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20260327;
h=errors-to:content-transfer-encoding:list-subscribe:list-help
:list-post:list-archive:list-unsubscribe:list-id:precedence:subject
:mime-version:references:in-reply-to:message-id:date:to:from
:dkim-signature:dkim-signature:dkim-signature:dkim-signature;
bh=N4kSnmDCLOQt/zZqzatHcgV5fBoi13OyZVJO/0W1JyE=;
fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
b=p7LOvUPTlI5m+MNFiaONcJeG9J6007HD7eCkNU/jaVl+fgq7GRj2Yn1jrpL2zo2abc
rVGo3CcVy/mlPljdhwQXPrV9dH5nQZGjM9myfIn6aGKF8OAE69Fsq4VSCngzNQbk5Ggm
GiqgKb6jZK1masAeGWrK7slERrSMAPxclqe+ZM9cBX8VBCkIsVW1h/xk0+aghPORKYd/
iyz0OV1LCI1VmNXHCBJyMT+jDhAdZYJPgvKkfmMRpH1es0D7ev9zezmgsbroVCDTrVJm
Iido+Tnx3rZR+XAHCujNaUVkIojzVhVnpgQIkjD/gTDuI8DgfdOJ/TQMuM5wKexSL2FE
ENog==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=lQ2M1LSw;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=DYtuZoYq;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Zxg+ygn0;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=LqewURx9;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
by mx.google.com with ESMTPS id
586e51a60fabf-44d30639a09si4869104fac.126.2026.07.06.04.34.39
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Mon, 06 Jul 2026 04:34:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
dkim=pass header.i=@lists.sourceforge.net header.s=beta
header.b=lQ2M1LSw;
dkim=neutral (body hash did not verify) header.i=@sourceforge.net
header.s=x header.b=DYtuZoYq;
dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
header.b=Zxg+ygn0;
dkim=neutral (body hash did not verify) header.i=@mandelbit.com
header.s=MBO0001 header.b=LqewURx9;
spf=pass (google.com: domain of
openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type:
List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender:
Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
bh=N4kSnmDCLOQt/zZqzatHcgV5fBoi13OyZVJO/0W1JyE=; b=lQ2M1LSwuDMc7GW0Jp9hyQeOur
Mj9rfOJx42sK/2JBpUxkM24gHtf3w6rRv2Y6dHX4oxaoQ4PoKXbsft3bunEALvmiEf9Qbk/ZNYKMI
MExuNXdHwFu3vuNjBdY0AW2bLTzx9Hd3gqQeGTZvxlHYY8BvpEIFy4SosL+QRyMEykvE=;
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
id 1wghat-0001KK-9K;
Mon, 06 Jul 2026 11:34:36 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
(envelope-from <ralf@mandelbit.com>) id 1wghar-0001KB-Ak
for openvpn-devel@lists.sourceforge.net;
Mon, 06 Jul 2026 11:34:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=vYkAXVlwWnFwk4Pg9jQnNOpzSSm0BPWUf0P489QL93U=; b=DYtuZoYqS1HAxxForlKlpQZqiM
r8hWgxhQiY1BgP4XZocNdQRslBuVDH0tx9N9Yn+oAzpa5+T43ojkhxIFsp2D6hoIGujrZ5ZEd2uAr
YI3YgsjP5YHB21uLpKFry9VGbNolIe/o7AOSovqWWVmgmeEclEgHOfU7CEd3OStJozwc=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
;
h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
bh=vYkAXVlwWnFwk4Pg9jQnNOpzSSm0BPWUf0P489QL93U=; b=Zxg+ygn0GSjxQMkBzL0hNA/ixV
h8CbTFpZ396fXogw2sPfpvBL0n+gXXBiOLKQGIFZnSBbl9Wen5Yh1mfIgPC7XiP8s1Hiu/TIFTQ7o
koiYsXR/M3ENoSrM9SpP/j6+mZCtD9x+Im5LEFA8rR97AeubtLpCeBd2OmzgYygd6VOw=;
Received: from mout-b-110.mailbox.org ([195.10.208.55])
by sfi-mx-2.v28.lw.sourceforge.com with esmtps
(TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
id 1wghap-0006lM-UI for openvpn-devel@lists.sourceforge.net;
Mon, 06 Jul 2026 11:34:34 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by mout-b-110.mailbox.org (Postfix) with ESMTPS id 4gv2Ly6gJ0zB1Ct;
Mon, 6 Jul 2026 13:34:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com;
s=MBO0001; t=1783337658;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=vYkAXVlwWnFwk4Pg9jQnNOpzSSm0BPWUf0P489QL93U=;
b=LqewURx9g7iTWrNBQxeI4cZSRrZ84ShgpQzuRZ6XcCg49pcNq1TY/jfvid9/n98pZgalQx
3WE7hHWOyTFYRLomgJTSziQIStp2rrUIV0bonli7ikyH+ov84Uuisn7p0chJnxPBowW9zW
apmRQy6egqumMqnekGReLOCNPS8xUukqDjazDpjFRrDw43GTSKvWvbt199Qg2GcSbuW58r
VP0OxXlq0N7MbIzGjq4ELIiBPWb8NzuMBn8xqWBhJFiAOIboZ5iU6Na/nN5Q4fekBewixD
iH33SeJ4YGOvatG12lqNJ9js1/0HubEKJflP9NKQCbERevXOiYCrCc8FBwql5A==
From: Ralf Lici <ralf@mandelbit.com>
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 6 Jul 2026 13:33:59 +0200
Message-ID:
<b2f5120a3efa20c62a83397d96e949eac6a983df.1783336121.git.ralf@mandelbit.com>
In-Reply-To: <cover.1783336121.git.ralf@mandelbit.com>
References: <cover.1783336121.git.ralf@mandelbit.com>
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
running on the system "sfi-spamd-1.hosts.colo.sdot.me",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: ovpn_crypto_kill_key assumes both crypto slots are populated
and dereferences each slot before checking it. That is not guaranteed: a
peer can have only one installed key, and the kill path may be ask [...]
Content analysis details: (-0.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
X-Headers-End: 1wghap-0006lM-UI
Subject: [Openvpn-devel] [PATCH ovpn net v5 1/6] ovpn: fix NULL dereference
when killing missing key
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
<mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: 1869965090188861785
X-GMAIL-MSGID: 1869965090188861785
|
| Series |
ovpn: fix key and workqueue lifetime issues
|
|
Commit Message
Ralf Lici
July 6, 2026, 11:33 a.m. UTC
ovpn_crypto_kill_key assumes both crypto slots are populated and
dereferences each slot before checking it. That is not guaranteed: a
peer can have only one installed key, and the kill path may be asked to
remove a key that is not present.
Read each slot once while holding the crypto state lock, check for NULL
before looking at key_id, and only replace the slot that actually
matches.
Fixes: 89d3c0e4612a ("ovpn: kill key and notify userspace in case of IV exhaustion")
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
---
Changes since v4 of this series https://lore.kernel.org/openvpn-devel/981d2ea51cca45138210aa52c6e5a0e55c0da7a0.1783099626.git.ralf@mandelbit.com/
- Add this previously posted standalone fix to the series so the whole
set can be picked in order.
- No changes since v2 of the original single patch
https://lore.kernel.org/openvpn-devel/19318904cf077d067cd4ec628a22bab03ed7dd29.1782993857.git.ralf@mandelbit.com/
Changes since v1 of the original single patch https://lore.kernel.org/openvpn-devel/9fc33e6f9fae10b9e372a3e06934d697edf5b024.1782829171.git.ralf@mandelbit.com/
- Remove unnecessary braces around single-statement if/else branches.
drivers/net/ovpn/crypto.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
Comments
Hi Ralf, Sorry, I'm slowly catching up with the recent activity here. 2026-07-06, 13:33:59 +0200, Ralf Lici wrote: > ovpn_crypto_kill_key assumes both crypto slots are populated and > dereferences each slot before checking it. That is not guaranteed: a > peer can have only one installed key, and the kill path may be asked to > remove a key that is not present. > > Read each slot once while holding the crypto state lock, check for NULL > before looking at key_id, and only replace the slot that actually > matches. > > Fixes: 89d3c0e4612a ("ovpn: kill key and notify userspace in case of IV exhaustion") > Signed-off-by: Ralf Lici <ralf@mandelbit.com> > --- > Changes since v4 of this series https://lore.kernel.org/openvpn-devel/981d2ea51cca45138210aa52c6e5a0e55c0da7a0.1783099626.git.ralf@mandelbit.com/ > - Add this previously posted standalone fix to the series so the whole > set can be picked in order. > - No changes since v2 of the original single patch > https://lore.kernel.org/openvpn-devel/19318904cf077d067cd4ec628a22bab03ed7dd29.1782993857.git.ralf@mandelbit.com/ > > Changes since v1 of the original single patch https://lore.kernel.org/openvpn-devel/9fc33e6f9fae10b9e372a3e06934d697edf5b024.1782829171.git.ralf@mandelbit.com/ > - Remove unnecessary braces around single-statement if/else branches. > > drivers/net/ovpn/crypto.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/ovpn/crypto.c b/drivers/net/ovpn/crypto.c > index 90580e32052f..8cb7078a1d93 100644 > --- a/drivers/net/ovpn/crypto.c > +++ b/drivers/net/ovpn/crypto.c > @@ -58,15 +58,19 @@ void ovpn_crypto_state_release(struct ovpn_crypto_state *cs) > bool ovpn_crypto_kill_key(struct ovpn_crypto_state *cs, u8 key_id) > { > struct ovpn_crypto_key_slot *ks = NULL; > + struct ovpn_crypto_key_slot *tmp; > > spin_lock_bh(&cs->lock); > - if (rcu_access_pointer(cs->slots[0])->key_id == key_id) { > + tmp = rcu_access_pointer(cs->slots[0]); > + if (tmp && tmp->key_id == key_id) > ks = rcu_replace_pointer(cs->slots[0], NULL, > lockdep_is_held(&cs->lock)); > - } else if (rcu_access_pointer(cs->slots[1])->key_id == key_id) { > + else > + tmp = rcu_access_pointer(cs->slots[1]); > + > + if (!ks && tmp && tmp->key_id == key_id) > ks = rcu_replace_pointer(cs->slots[1], NULL, > lockdep_is_held(&cs->lock)); > - } I find the "!ks && tmp" logic really confusing. Maybe something like this (untested) would be more readable? int slot; spin_lock_bh(&cs->lock); slot = 0; tmp = rcu_access_pointer(cs->slots[slot]); if (!tmp || tmp->key_id != key_id) { slot = 1; tmp = rcu_access_pointer(cs->slots[slot]); } if (tmp && tmp->key_id == key_id) ks = rcu_replace_pointer(cs->slots[slot], NULL, lockdep_is_held(&cs->lock)); spin_unlock_bh(&cs->lock); [...]
diff --git a/drivers/net/ovpn/crypto.c b/drivers/net/ovpn/crypto.c index 90580e32052f..8cb7078a1d93 100644 --- a/drivers/net/ovpn/crypto.c +++ b/drivers/net/ovpn/crypto.c @@ -58,15 +58,19 @@ void ovpn_crypto_state_release(struct ovpn_crypto_state *cs) bool ovpn_crypto_kill_key(struct ovpn_crypto_state *cs, u8 key_id) { struct ovpn_crypto_key_slot *ks = NULL; + struct ovpn_crypto_key_slot *tmp; spin_lock_bh(&cs->lock); - if (rcu_access_pointer(cs->slots[0])->key_id == key_id) { + tmp = rcu_access_pointer(cs->slots[0]); + if (tmp && tmp->key_id == key_id) ks = rcu_replace_pointer(cs->slots[0], NULL, lockdep_is_held(&cs->lock)); - } else if (rcu_access_pointer(cs->slots[1])->key_id == key_id) { + else + tmp = rcu_access_pointer(cs->slots[1]); + + if (!ks && tmp && tmp->key_id == key_id) ks = rcu_replace_pointer(cs->slots[1], NULL, lockdep_is_held(&cs->lock)); - } spin_unlock_bh(&cs->lock); if (ks)