* question about CVE-2022-3169
@ 2022-11-10 10:23 linan (AK)
2022-11-10 16:17 ` Keith Busch
2022-11-11 1:37 ` Chaitanya Kulkarni
0 siblings, 2 replies; 4+ messages in thread
From: linan (AK) @ 2022-11-10 10:23 UTC (permalink / raw)
To: kbusch; +Cc: linux-nvme, yi.zhang, chengzhihao1
Hi,
1e866afd4bcd("nvme: ensure subsystem reset is single threaded")
fixed CVE-2022-3169.
IIUC, ERROR path I got in this CVE:
CPU1 CPU2
nvme_dev_ioctl nvme_dev_ioctl
nvme_reset_ctrl_sync nvme_reset_subsystem
reset_work
nvme_reset_work
nvme_setup_io_queues
nvme_remap_bar(dev, size)
if (size <= dev->bar_mapped_size)
return 0;
iounmap
reg_write32 //error
ioremap
In nvme_remap_bar(), the premise of ioremap is "size >
dev->bar_mapped_size".
size = NVME_REG_DBS + ((nr_io_queues + 1) * 8 * dev->db_stride);
1)nr_io_queue = dev->nr_allocated_queues - 1, Onece set to
"nvme_max_io_queues(dev) + 1" during probe time, it could not change.
2)db_stride is doorbell stride, it didn't change during my test
Therefore, I cant find a way to make iounmap happen.
Could you tell me how you trigger the ERROR?
Thanks,
Nan.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about CVE-2022-3169
2022-11-10 10:23 question about CVE-2022-3169 linan (AK)
@ 2022-11-10 16:17 ` Keith Busch
2022-11-11 1:37 ` Chaitanya Kulkarni
1 sibling, 0 replies; 4+ messages in thread
From: Keith Busch @ 2022-11-10 16:17 UTC (permalink / raw)
To: linan (AK); +Cc: kbusch, linux-nvme, yi.zhang, chengzhihao1
On Thu, Nov 10, 2022 at 06:23:20PM +0800, linan (AK) wrote:
> Hi,
> 1e866afd4bcd("nvme: ensure subsystem reset is single threaded")
> fixed CVE-2022-3169.
The description in the CVE is nonsense. That patch won't "fix":
"the NVME_IOCTL_SUBSYS_RESET through the device file of the driver,
resulting in a PCIe link disconnect"
That's exactly what an nvme subsystem reset is supposed to do, as is
documented in the spec since the capability was introduced:
"When an NVM Subsystem Reset occurs, all PCIe links in the NVM
Subsystem transition to the LTSSM Detect state."
The patch just makes sure you can't stack different reset types along
with a unbinding event, so the test case in question will just become a
no-op for the subsystem reset part.
If anything, the CVE should have been that a non-admin user could have
triggered this, but a completely different patch fixed that.
> IIUC, ERROR path I got in this CVE:
> CPU1 CPU2
> nvme_dev_ioctl nvme_dev_ioctl
> nvme_reset_ctrl_sync nvme_reset_subsystem
> reset_work
> nvme_reset_work
> nvme_setup_io_queues
> nvme_remap_bar(dev, size)
> if (size <= dev->bar_mapped_size)
> return 0;
> iounmap
> reg_write32 //error
> ioremap
>
> In nvme_remap_bar(), the premise of ioremap is "size >
> dev->bar_mapped_size".
> size = NVME_REG_DBS + ((nr_io_queues + 1) * 8 * dev->db_stride);
> 1)nr_io_queue = dev->nr_allocated_queues - 1, Onece set to
> "nvme_max_io_queues(dev) + 1" during probe time, it could not change.
> 2)db_stride is doorbell stride, it didn't change during my test
> Therefore, I cant find a way to make iounmap happen.
>
> Could you tell me how you trigger the ERROR?
To get a panic, something needs to happen to cause the driver to unbind
from the device at the same time as sending a subsystem reset. I'm not
sure how the original bz reporter managed to make that happen, but it
didn't matter to me since we're supposed to handle these concurrent
events. I'm guessing a previous subsystem reset triggered link-down
unbinding, which unmapped the BAR at the same time another thread wanted
to send a follow on subsystem reset.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about CVE-2022-3169
2022-11-10 10:23 question about CVE-2022-3169 linan (AK)
2022-11-10 16:17 ` Keith Busch
@ 2022-11-11 1:37 ` Chaitanya Kulkarni
2022-11-24 9:21 ` linan (AK)
1 sibling, 1 reply; 4+ messages in thread
From: Chaitanya Kulkarni @ 2022-11-11 1:37 UTC (permalink / raw)
To: linan (AK), kbusch@fb.com
Cc: linux-nvme@lists.infradead.org, yi.zhang@huawei.com,
chengzhihao1@huawei.com
Lian,
On 11/10/22 02:23, linan (AK) wrote:
> Hi,
> 1e866afd4bcd("nvme: ensure subsystem reset is single threaded")
> fixed CVE-2022-3169.
>
> IIUC, ERROR path I got in this CVE:
> CPU1 CPU2
> nvme_dev_ioctl nvme_dev_ioctl
> nvme_reset_ctrl_sync nvme_reset_subsystem
> reset_work
> nvme_reset_work
> nvme_setup_io_queues
> nvme_remap_bar(dev, size)
> if (size <= dev->bar_mapped_size)
> return 0;
> iounmap
> reg_write32 //error
> ioremap
>
> In nvme_remap_bar(), the premise of ioremap is "size >
> dev->bar_mapped_size".
> size = NVME_REG_DBS + ((nr_io_queues + 1) * 8 * dev->db_stride);
> 1)nr_io_queue = dev->nr_allocated_queues - 1, Onece set to
> "nvme_max_io_queues(dev) + 1" during probe time, it could not change.
> 2)db_stride is doorbell stride, it didn't change during my test
> Therefore, I cant find a way to make iounmap happen.
>
> Could you tell me how you trigger the ERROR?
>
> Thanks,
> Nan.
>
Do you have a script to reproduce this ?
-ck
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: question about CVE-2022-3169
2022-11-11 1:37 ` Chaitanya Kulkarni
@ 2022-11-24 9:21 ` linan (AK)
0 siblings, 0 replies; 4+ messages in thread
From: linan (AK) @ 2022-11-24 9:21 UTC (permalink / raw)
To: Chaitanya Kulkarni; +Cc: linux-nvme@lists.infradead.org
在 2022/11/11 9:37, Chaitanya Kulkarni 写道:
> Lian,
>
> On 11/10/22 02:23, linan (AK) wrote:
>> Hi,
>> 1e866afd4bcd("nvme: ensure subsystem reset is single threaded")
>> fixed CVE-2022-3169.
>>
>> IIUC, ERROR path I got in this CVE:
>> CPU1 CPU2
>> nvme_dev_ioctl nvme_dev_ioctl
>> nvme_reset_ctrl_sync nvme_reset_subsystem
>> reset_work
>> nvme_reset_work
>> nvme_setup_io_queues
>> nvme_remap_bar(dev, size)
>> if (size <= dev->bar_mapped_size)
>> return 0;
>> iounmap
>> reg_write32 //error
>> ioremap
>>
>> In nvme_remap_bar(), the premise of ioremap is "size >
>> dev->bar_mapped_size".
>> size = NVME_REG_DBS + ((nr_io_queues + 1) * 8 * dev->db_stride);
>> 1)nr_io_queue = dev->nr_allocated_queues - 1, Onece set to
>> "nvme_max_io_queues(dev) + 1" during probe time, it could not change.
>> 2)db_stride is doorbell stride, it didn't change during my test
>> Therefore, I cant find a way to make iounmap happen.
>>
>> Could you tell me how you trigger the ERROR?
>>
>> Thanks,
>> Nan.
>>
>
> Do you have a script to reproduce this ?
>
> -ck
>
I can't reproduce it. "cause the driver to unbind from the device at the
same time as sending a subsystem reset", you can have a try like Keith said.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-24 9:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-10 10:23 question about CVE-2022-3169 linan (AK)
2022-11-10 16:17 ` Keith Busch
2022-11-11 1:37 ` Chaitanya Kulkarni
2022-11-24 9:21 ` linan (AK)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox