Linux Kernel TLS ULP Data Handling Vulnerability

A vulnerability in the Linux kernel's handling of Transport Layer Security (TLS) Upper-Layer Protocol (ULP) can lead to undefined behavior. This issue arises because TLS expects to control the receive queue of the TCP socket. However, this expectation can be violated if the TCP socket reader accesses the socket before the TLS ULP is properly installed or uses non-standard read APIs, such as zero-copy methods. The vulnerability has been addressed by replacing a problematic early exit with proper error handling, ensuring that the parsing state is cleared and the reader is instructed to retry. While the fix prevents kernel crashes, the underlying issue could still disrupt TLS operations by corrupting data streams or causing missed alerts or attacks.

Impact

Exploitation of this vulnerability can lead to undefined behavior in TLS operations, such as data stream corruption or missed security alerts, although it does not cause a kernel crash.

Reproduction

The vulnerability can be reproduced by configuring a TCP socket to use a non-standard read API that bypasses the normal data handling process. This can be done by applying a TLS ULP to the socket and then reading data from the socket before the ULP is fully established, or by using a zero-copy read method that interferes with TLS's control of the receive queue. When the socket is read in this manner, it can cause TLS to misinterpret the data, leading to the vulnerability.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.