From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>,
Mike Christie <mchristi@redhat.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.9 25/44] scsi: target: iscsi: Use hex2bin instead of a re-implementation
Date: Thu, 27 Sep 2018 11:04:14 +0200 [thread overview]
Message-ID: <20180927090121.392109241@linuxfoundation.org> (raw)
In-Reply-To: <20180927090117.997362691@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Pelletier <plr.vincent@gmail.com>
commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
This change has the following effects, in order of descreasing importance:
1) Prevent a stack buffer overflow
2) Do not append an unnecessary NULL to an anyway binary buffer, which
is writing one byte past client_digest when caller is:
chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null). As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.
This addresses CVE-2018-14633.
Beyond this:
- Validate received value length and check hex2bin accepted the input, to log
this rejection reason instead of just failing authentication.
- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
dump_stack+0x71/0xac
print_address_description+0x65/0x22e
? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
kasan_report.cold.6+0x241/0x2fd
chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
? ftrace_caller_op_ptr+0xe/0xe
? __orc_find+0x6f/0xc0
? unwind_next_frame+0x231/0x850
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? ret_from_fork+0x35/0x40
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? deref_stack_reg+0xd0/0xd0
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? is_module_text_address+0xa/0x11
? kernel_text_address+0x4c/0x110
? __save_stack_trace+0x82/0x100
? ret_from_fork+0x35/0x40
? save_stack+0x8c/0xb0
? 0xffffffffc1660000
? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? process_one_work+0x35c/0x640
? worker_thread+0x66/0x5d0
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
chap_main_loop+0x172/0x570 [iscsi_target_mod]
? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
? rx_data+0xd6/0x120 [iscsi_target_mod]
? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
? cyc2ns_read_begin.part.2+0x90/0x90
? _raw_spin_lock_irqsave+0x25/0x50
? memcmp+0x45/0x70
iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
? del_timer+0xe0/0xe0
? memset+0x1f/0x40
? flush_sigqueue+0x29/0xd0
iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
process_one_work+0x35c/0x640
worker_thread+0x66/0x5d0
? flush_rcu_work+0x40/0x40
kthread+0x1a0/0x1c0
? kthread_bind+0x30/0x30
ret_from_fork+0x35/0x40
The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
^
ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -26,18 +26,6 @@
#include "iscsi_target_nego.h"
#include "iscsi_target_auth.h"
-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
-{
- int j = DIV_ROUND_UP(len, 2), rc;
-
- rc = hex2bin(dst, src, j);
- if (rc < 0)
- pr_debug("CHAP string contains non hex digit symbols\n");
-
- dst[j] = '\0';
- return j;
-}
-
static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
{
int i;
@@ -240,9 +228,16 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_R.\n");
goto out;
}
+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
pr_debug("[server] Got CHAP_R=%s\n", chap_r);
- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
tfm = crypto_alloc_shash("md5", 0, 0);
if (IS_ERR(tfm)) {
@@ -341,9 +336,7 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_C.\n");
goto out;
}
- pr_debug("[server] Got CHAP_C=%s\n", challenge);
- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
- strlen(challenge));
+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
if (!challenge_len) {
pr_err("Unable to convert incoming challenge\n");
goto out;
@@ -352,6 +345,11 @@ static int chap_server_compute_md5(
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
goto out;
}
+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
+ pr_err("Malformed CHAP_C\n");
+ goto out;
+ }
+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
/*
* During mutual authentication, the CHAP_C generated by the
* initiator must not match the original CHAP_C generated by
next prev parent reply other threads:[~2018-09-27 9:35 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 9:03 [PATCH 4.9 00/44] 4.9.130-stable review Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 01/44] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 02/44] NFC: Fix the number of pipes Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 03/44] ASoC: cs4265: fix MMTLR Data switch control Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 04/44] ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error path Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 05/44] ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 06/44] ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 07/44] ALSA: firewire-digi00x: fix memory leak of private data Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 08/44] ALSA: firewire-tascam: " Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 09/44] ALSA: fireworks: fix memory leak of response buffer at error path Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.9 10/44] ALSA: oxfw: fix memory leak for model-dependent data " Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 11/44] ALSA: oxfw: fix memory leak of discovered stream formats " Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 12/44] ALSA: oxfw: fix memory leak of private data Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 13/44] platform/x86: alienware-wmi: Correct a memory leak Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 14/44] xen/netfront: dont bug in case of too many frags Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 15/44] xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 16/44] Revert "PCI: Add ACS quirk for Intel 300 series" Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 17/44] ring-buffer: Allow for rescheduling when removing pages Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 18/44] mm: shmem.c: Correctly annotate new inodes for lockdep Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 19/44] gso_segment: Reset skb->mac_len after modifying network header Greg Kroah-Hartman
2018-09-27 9:04 ` Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 20/44] ipv6: fix possible use-after-free in ip6_xmit() Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 21/44] net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 22/44] net: hp100: fix always-true check for link up state Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 23/44] udp4: fix IP_CMSG_CHECKSUM for connected sockets Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 24/44] neighbour: confirm neigh entries when ARP packet is received Greg Kroah-Hartman
2018-09-27 9:04 ` Greg Kroah-Hartman [this message]
2018-09-27 9:04 ` [PATCH 4.9 26/44] ocfs2: fix ocfs2 read block panic Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 27/44] drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 28/44] drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 29/44] drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 30/44] drm/vc4: Fix the "no scaling" case on multi-planar YUV formats Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 31/44] tty: vt_ioctl: fix potential Spectre v1 Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 32/44] ext4: check to make sure the rename(2)s destination is not freed Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 33/44] ext4: avoid divide by zero fault when deleting corrupted inline directories Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 34/44] ext4: recalucate superblock checksum after updating free blocks/inodes Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 35/44] ext4: fix online resizes handling of a too-small final block group Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 36/44] ext4: fix online resizing for bigalloc file systems with a 1k block size Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 37/44] ext4: dont mark mmp buffer head dirty Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 38/44] ext4: show test_dummy_encryption mount option in /proc/mounts Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 39/44] sched/fair: Fix vruntime_normalized() for remote non-migration wakeup Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 40/44] HID: sony: Update device ids Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 41/44] HID: sony: Support DS4 dongle Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 42/44] PCI: aardvark: Size bridges before resources allocation Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 43/44] vmw_balloon: include asm/io.h Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.9 44/44] iw_cxgb4: only allow 1 flush on user qps Greg Kroah-Hartman
2018-09-27 18:59 ` [PATCH 4.9 00/44] 4.9.130-stable review Nathan Chancellor
2018-09-27 19:51 ` Rafael David Tinoco
2018-09-27 20:14 ` Shuah Khan
2018-09-27 21:58 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180927090121.392109241@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.