From patchwork Wed Oct 25 20:39:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1855320 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SG18t1tvSz23jV for ; Thu, 26 Oct 2023 07:43:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvkiN-0000AE-QL; Wed, 25 Oct 2023 20:42:56 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvkhw-00008A-NU for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 20:42:30 +0000 Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0A8E83FADE for ; Wed, 25 Oct 2023 20:42:28 +0000 (UTC) Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-65b08994e15so2629396d6.0 for ; Wed, 25 Oct 2023 13:42:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698266546; x=1698871346; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mNzzkLWjjL7VM+EocVsZENukdkq6DuvQTIy/0XimmGQ=; b=Dry8QLhLLej4d5+ES73ctjWVOnTzWyGLBF3KKSqbE3ThVYRuq4CY0J/hmwvTW81TCG HWMYlAV+RippnNT/W2sbfMq2lgN3HeZKOvfIv42V5Za75oTC97AYi8Hs9oDbvFS/1XS3 J57qCtd8IrThm+D4DYZGqNYL+9noS6iKR21X8z/oPTGpmcXp0YrBxj0jeVbZh0m1KZUY doz3XOQ9gEzXZbp6i8LDjIzF2Q6YLS0VzAOVUAIZzfuiTRjP3b9OWtLi+s9nZ4h11/3v ooMZ1vCezSqpm8+j2WYT1sktlucbKKJitOtdh2sY2e5A0YzPr0JrsYok7eIHWzzejWmj 78cw== X-Gm-Message-State: AOJu0YxwEeGuPJsPb6M5MnLMJax3a7bqvxGQzfoh5ZKuRZCLSqIBVFIJ 7e3p2nbbsij7EQmvxp3RPMqoD4YcsGYSWGbqncJlNO0pdNHTCiUj7FxMvBoCNXJwD9kyK6qoJFf xKT+PySk7Am/RQYAqelo3MrKZvPbhxJDQZqnHFLq+xHoQUUMMJA== X-Received: by 2002:a05:6214:518f:b0:66d:9f49:5b24 with SMTP id kl15-20020a056214518f00b0066d9f495b24mr1200026qvb.23.1698266546493; Wed, 25 Oct 2023 13:42:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHXZh7fjxakui2qyaENoGCzhfZuJTi9Vrt+9iLN2qg2UfhLtMO0yIhk9GcX8MOOuOKdhCwKbA== X-Received: by 2002:a05:6214:518f:b0:66d:9f49:5b24 with SMTP id kl15-20020a056214518f00b0066d9f495b24mr1200012qvb.23.1698266546222; Wed, 25 Oct 2023 13:42:26 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:374:b69b:f93:5e37]) by smtp.gmail.com with ESMTPSA id n18-20020a0cec52000000b0065afd35c762sm4679225qvq.91.2023.10.25.13.42.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Oct 2023 13:42:24 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][J/L/M][PATCH 1/1] nvmet-tcp: Fix a possible UAF in queue intialization setup Date: Wed, 25 Oct 2023 16:39:30 -0400 Message-Id: <20231025203932.60502-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025203932.60502-1-yuxuan.luo@canonical.com> References: <20231025203932.60502-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sagi Grimberg From Alon: "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, a malicious user can cause a UAF and a double free, which may lead to RCE (may also lead to an LPE in case the attacker already has local privileges)." Hence, when a queue initialization fails after the ahash requests are allocated, it is guaranteed that the queue removal async work will be called, hence leave the deallocation to the queue removal. Also, be extra careful not to continue processing the socket, so set queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. Cc: stable@vger.kernel.org Reported-by: Alon Zahavi Tested-by: Alon Zahavi Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch (cherry picked from commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd) CVE-2023-5178 Signed-off-by: Yuxuan Luo --- drivers/nvme/target/tcp.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index 5e29da94f72d..355d80323b83 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -345,6 +345,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) { + queue->rcv_state = NVMET_TCP_RECV_ERR; if (status == -EPIPE || status == -ECONNRESET) kernel_sock_shutdown(queue->sock, SHUT_RDWR); else @@ -871,15 +872,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) iov.iov_len = sizeof(*icresp); ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); if (ret < 0) - goto free_crypto; + return ret; /* queue removal will cleanup */ queue->state = NVMET_TCP_Q_LIVE; nvmet_prepare_receive_pdu(queue); return 0; -free_crypto: - if (queue->hdr_digest || queue->data_digest) - nvmet_tcp_free_crypto(queue); - return ret; } static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, From patchwork Wed Oct 25 20:39:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1855322 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SG19f4nGzz23jV for ; Thu, 26 Oct 2023 07:43:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qvkj1-0000Lm-F3; Wed, 25 Oct 2023 20:43:38 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qvki2-00008s-Vg for kernel-team@lists.ubuntu.com; Wed, 25 Oct 2023 20:42:36 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B309E3FADE for ; Wed, 25 Oct 2023 20:42:34 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-77405179afdso23816985a.1 for ; Wed, 25 Oct 2023 13:42:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698266553; x=1698871353; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4HiKvTFSwcu2wi0z+BBhX8qP36GNanUFlrEmVxbd5a4=; b=cPID5eRhNAb8vK1fvhMCHnUIHdA2ucWYozAze7GsTixxWCoeQjyizaJ/A+ePVFdhwa IDLtUuVkjxJXOu+6zCWGLnuM6Zi37Dhs4sKfxWpCoVx+sJzDkhxy34aHE1lKqi6QHg// e5AYm9jiQSlGq7JzZfV0pmj3OZNv/CQAHdFwWintakHZWbEVxnNdQwyBazaqFnjL/KHB j6HoTf13LiEo4/EeHmcbAmAdafOIn4Q6NtbMM2IBv2UlZF72vMqQBNEyTCr1QAXub3s0 c/MTz9uCmTPMm3mq/KcnKACMYZF8sSLNefYgAJ7j/PHH7Ok+t5gvcNpnCE4y4uIPu9y1 p3WQ== X-Gm-Message-State: AOJu0Yzg8iDA4++QrUsg6mlV3Aqrdg1Opkhbg8Jgr30UYKlRlQduL7pZ BAwfeFkq3mViyT1o2Yhc2aYcK1B6WpSyZ2ZVwA+ZcF2qwUAlcFPadP2XTtgkwyOtC59LLBSpHn6 7DFRzZN4CFKEhqD9ae9s4/NdAJfbHNzhqoDw5LvR01s/O+gbs+g== X-Received: by 2002:a05:620a:2484:b0:779:efb4:73ad with SMTP id i4-20020a05620a248400b00779efb473admr5972699qkn.53.1698266553160; Wed, 25 Oct 2023 13:42:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IElVnQPLdADcFWyBLTXwsg8JP0qAr6h5GSw+4Jh9TvN0Hs4SCDSMPGV1zcHgzge0rLLix+pdA== X-Received: by 2002:a05:620a:2484:b0:779:efb4:73ad with SMTP id i4-20020a05620a248400b00779efb473admr5972686qkn.53.1698266552851; Wed, 25 Oct 2023 13:42:32 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:374:b69b:f93:5e37]) by smtp.gmail.com with ESMTPSA id n18-20020a0cec52000000b0065afd35c762sm4679225qvq.91.2023.10.25.13.42.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Oct 2023 13:42:28 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 2/2] nvmet-tcp: Fix a possible UAF in queue intialization setup Date: Wed, 25 Oct 2023 16:39:32 -0400 Message-Id: <20231025203932.60502-4-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231025203932.60502-1-yuxuan.luo@canonical.com> References: <20231025203932.60502-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Sagi Grimberg From Alon: "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, a malicious user can cause a UAF and a double free, which may lead to RCE (may also lead to an LPE in case the attacker already has local privileges)." Hence, when a queue initialization fails after the ahash requests are allocated, it is guaranteed that the queue removal async work will be called, hence leave the deallocation to the queue removal. Also, be extra careful not to continue processing the socket, so set queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. Cc: stable@vger.kernel.org Reported-by: Alon Zahavi Tested-by: Alon Zahavi Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch (cherry picked from commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd) CVE-2023-5178 Signed-off-by: Yuxuan Luo --- drivers/nvme/target/tcp.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c index e63a50e22e5a0..e8c7135c4c11b 100644 --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -323,6 +323,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) { + queue->rcv_state = NVMET_TCP_RECV_ERR; if (status == -EPIPE || status == -ECONNRESET) kernel_sock_shutdown(queue->sock, SHUT_RDWR); else @@ -828,15 +829,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) iov.iov_len = sizeof(*icresp); ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); if (ret < 0) - goto free_crypto; + return ret; /* queue removal will cleanup */ queue->state = NVMET_TCP_Q_LIVE; nvmet_prepare_receive_pdu(queue); return 0; -free_crypto: - if (queue->hdr_digest || queue->data_digest) - nvmet_tcp_free_crypto(queue); - return ret; } static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,