CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready()

[Pietro Borrello <borrello () diag uniroma1 it>]

Hi all,

I am disclosing a type confusion in the net/tls stack of the Linux Kernel.
tls_is_tx_ready() checks that list_first_entry() does not return NULL.
However, this condition can never happen.
For an empty `tx_list`, list_first_entry() returns the list_entry() of the head,
which, when used, is a type confusion.
Thus, tls_is_tx_ready() may potentially use a type-confused entry
to the list_head, leaking the last byte of the type confused field
that overlaps with rec->tx_ready.

The patch has been merged in the Linux tree:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb

The issue has been assigned CVE-2023-1075.

Best regards,
Pietro Borrello