From: sj@kernel.org
To: Sagi Grimberg <sagi@grimberg.me>
Cc: linux-nvme@lists.infradead.org, Christoph Hellwig <hch@lst.de>,
Keith Busch <kbusch@kernel.org>,
Chaitanya Kulkarni <Chaitanya.Kulkarni@wdc.com>,
zahavi.alon@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
Date: Tue, 3 Oct 2023 16:46:37 +0000 [thread overview]
Message-ID: <20231003164638.2526-1-sj@kernel.org> (raw)
In-Reply-To: <20231002105428.226515-1-sagi@grimberg.me>
Hello,
On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
> From Alon:
> "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
> a malicious user can cause a UAF and a double free, which may lead to
> RCE (may also lead to an LPE in case the attacker already has local
> privileges)."
>
> Hence, when a queue initialization fails after the ahash requests are
> allocated, it is guaranteed that the queue removal async work will be
> called, hence leave the deallocation to the queue removal.
>
> Also, be extra careful not to continue processing the socket, so set
> queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>
> Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
> Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Would it be better to add Fixes: and Cc: stable lines?
Thanks,
SJ
> ---
> drivers/nvme/target/tcp.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> index 97d07488072d..d840f996eb82 100644
> --- a/drivers/nvme/target/tcp.c
> +++ b/drivers/nvme/target/tcp.c
> @@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
>
> static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
> {
> + queue->rcv_state = NVMET_TCP_RECV_ERR;
> if (status == -EPIPE || status == -ECONNRESET)
> kernel_sock_shutdown(queue->sock, SHUT_RDWR);
> else
> @@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
> iov.iov_len = sizeof(*icresp);
> ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
> if (ret < 0)
> - goto free_crypto;
> + return ret; /* queue removal will cleanup */
>
> queue->state = NVMET_TCP_Q_LIVE;
> nvmet_prepare_receive_pdu(queue);
> return 0;
> -free_crypto:
> - if (queue->hdr_digest || queue->data_digest)
> - nvmet_tcp_free_crypto(queue);
> - return ret;
> }
>
> static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
> --
> 2.41.0
>
>
next parent reply other threads:[~2023-10-03 16:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231002105428.226515-1-sagi@grimberg.me>
2023-10-03 16:46 ` sj [this message]
2023-10-04 9:41 ` [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup Sagi Grimberg
2023-10-04 12:25 ` Greg KH
2023-10-04 13:25 ` Sagi Grimberg
2023-10-04 17:32 ` SeongJae Park
2023-10-06 12:21 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231003164638.2526-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=Chaitanya.Kulkarni@wdc.com \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=stable@vger.kernel.org \
--cc=zahavi.alon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox