From: Chris Leech <cleech@redhat.com>
To: Sagi Grimberg <sagi@grimberg.me>, linux-nvme@lists.infradead.org
Cc: John Meneghini <jmeneghi@redhat.com>
Subject: [PATCH 0/1] nvme-tcp: fence TCP socket on transport error
Date: Mon, 20 Mar 2023 15:09:46 -0700 [thread overview]
Message-ID: <20230320220947.3244247-1-cleech@redhat.com> (raw)
Even after "160f3549a907 nvme-tcp: fix UAF when detecting digest errors", I
don't think the queue->rd_enabled flag is fencing the TCP socket from further
receive processing.
io_work can be re-queued while running, and if it's pending when a receive
error occurs it will bypass the queue->rd_enabled checks that should prevent
queueing in nvme_tcp_data_ready. Actually, it looks like nvme_tcp_write_space
and nvme_tcp_queue_request would schedule io_work anyway, which will always
call nvme_tcp_try_recv once regardless of rd_enabled. And nvme_tcp_poll has no
checks against rd_enabled.
After receiving an unsupported PDU, the header has been read but the payload
remains in the socket queue. And the nvme_tcp queue state looks like it's
ready to receive the payload of a C2H data PDU. Any additional calls to
nvme_tcp_try_recv can incorerectly interpret the next bits as a command ID,
lookup a request from the tagset using this bogus ID, and start copying the
payload data from the unsupported PDU to an invalid destination address.
This has been seen with a buggy target that sent extranious bytes in the TCP
stream, but also I believe with a properly functioning target that sent a
Controller to Host Terminate Connection (C2HTermReq). The Fatal Error Status
field was used as a Command ID and brought the host system down.
An additonal check against queue->rd_enabled at the start of nvme_tcp_recv_skb
should protect against both additonal io_work scheduling and nvme_tcp_poll use
after a receive transport error.
- Chris
Chris Leech (1):
nvme-tcp: fence TCP socket on receive error
drivers/nvme/host/tcp.c | 7 +++++++
1 file changed, 7 insertions(+)
--
2.39.2
next reply other threads:[~2023-03-20 22:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-20 22:09 Chris Leech [this message]
2023-03-20 22:09 ` [PATCH 1/1] nvme-tcp: fence TCP socket on transport error Chris Leech
2023-03-21 8:30 ` Sagi Grimberg
2023-03-21 16:30 ` Chris Leech
2023-03-21 16:30 ` [PATCH v2 1/1] nvme-tcp: fence TCP socket on receive error Chris Leech
2023-03-21 20:19 ` John Meneghini
2023-03-22 7:13 ` Sagi Grimberg
2023-04-05 15:21 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230320220947.3244247-1-cleech@redhat.com \
--to=cleech@redhat.com \
--cc=jmeneghi@redhat.com \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox