* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
[not found] <20231002105428.226515-1-sagi@grimberg.me>
@ 2023-10-03 16:46 ` sj
2023-10-04 9:41 ` Sagi Grimberg
0 siblings, 1 reply; 6+ messages in thread
From: sj @ 2023-10-03 16:46 UTC (permalink / raw)
To: Sagi Grimberg
Cc: linux-nvme, Christoph Hellwig, Keith Busch, Chaitanya Kulkarni,
zahavi.alon, stable
Hello,
On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
> From Alon:
> "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
> a malicious user can cause a UAF and a double free, which may lead to
> RCE (may also lead to an LPE in case the attacker already has local
> privileges)."
>
> Hence, when a queue initialization fails after the ahash requests are
> allocated, it is guaranteed that the queue removal async work will be
> called, hence leave the deallocation to the queue removal.
>
> Also, be extra careful not to continue processing the socket, so set
> queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>
> Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
> Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Would it be better to add Fixes: and Cc: stable lines?
Thanks,
SJ
> ---
> drivers/nvme/target/tcp.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
> index 97d07488072d..d840f996eb82 100644
> --- a/drivers/nvme/target/tcp.c
> +++ b/drivers/nvme/target/tcp.c
> @@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue)
>
> static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
> {
> + queue->rcv_state = NVMET_TCP_RECV_ERR;
> if (status == -EPIPE || status == -ECONNRESET)
> kernel_sock_shutdown(queue->sock, SHUT_RDWR);
> else
> @@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
> iov.iov_len = sizeof(*icresp);
> ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
> if (ret < 0)
> - goto free_crypto;
> + return ret; /* queue removal will cleanup */
>
> queue->state = NVMET_TCP_Q_LIVE;
> nvmet_prepare_receive_pdu(queue);
> return 0;
> -free_crypto:
> - if (queue->hdr_digest || queue->data_digest)
> - nvmet_tcp_free_crypto(queue);
> - return ret;
> }
>
> static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
> --
> 2.41.0
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-03 16:46 ` [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup sj
@ 2023-10-04 9:41 ` Sagi Grimberg
2023-10-04 12:25 ` Greg KH
0 siblings, 1 reply; 6+ messages in thread
From: Sagi Grimberg @ 2023-10-04 9:41 UTC (permalink / raw)
To: sj
Cc: linux-nvme, Christoph Hellwig, Keith Busch, Chaitanya Kulkarni,
zahavi.alon, stable
> Hello,
>
> On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
>
>> From Alon:
>> "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
>> a malicious user can cause a UAF and a double free, which may lead to
>> RCE (may also lead to an LPE in case the attacker already has local
>> privileges)."
>>
>> Hence, when a queue initialization fails after the ahash requests are
>> allocated, it is guaranteed that the queue removal async work will be
>> called, hence leave the deallocation to the queue removal.
>>
>> Also, be extra careful not to continue processing the socket, so set
>> queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>>
>> Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
>> Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
>> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
>
> Would it be better to add Fixes: and Cc: stable lines?
This issue existed since the introduction of the driver, I am not sure
it applies cleanly that far back...
I figured that the description and Reported-by tag will trigger stable
kernel pick up...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-04 9:41 ` Sagi Grimberg
@ 2023-10-04 12:25 ` Greg KH
2023-10-04 13:25 ` Sagi Grimberg
0 siblings, 1 reply; 6+ messages in thread
From: Greg KH @ 2023-10-04 12:25 UTC (permalink / raw)
To: Sagi Grimberg
Cc: sj, linux-nvme, Christoph Hellwig, Keith Busch,
Chaitanya Kulkarni, zahavi.alon, stable
On Wed, Oct 04, 2023 at 12:41:30PM +0300, Sagi Grimberg wrote:
>
> > Hello,
> >
> > On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
> >
> > > From Alon:
> > > "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
> > > a malicious user can cause a UAF and a double free, which may lead to
> > > RCE (may also lead to an LPE in case the attacker already has local
> > > privileges)."
> > >
> > > Hence, when a queue initialization fails after the ahash requests are
> > > allocated, it is guaranteed that the queue removal async work will be
> > > called, hence leave the deallocation to the queue removal.
> > >
> > > Also, be extra careful not to continue processing the socket, so set
> > > queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
> > >
> > > Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
> > > Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
> > > Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
> >
> > Would it be better to add Fixes: and Cc: stable lines?
>
> This issue existed since the introduction of the driver, I am not sure
> it applies cleanly that far back...
>
> I figured that the description and Reported-by tag will trigger stable
> kernel pick up...
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-04 12:25 ` Greg KH
@ 2023-10-04 13:25 ` Sagi Grimberg
2023-10-04 17:32 ` SeongJae Park
2023-10-06 12:21 ` Sasha Levin
0 siblings, 2 replies; 6+ messages in thread
From: Sagi Grimberg @ 2023-10-04 13:25 UTC (permalink / raw)
To: Greg KH
Cc: sj, linux-nvme, Christoph Hellwig, Keith Busch,
Chaitanya Kulkarni, zahavi.alon, stable
>>> Hello,
>>>
>>> On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
>>>
>>>> From Alon:
>>>> "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
>>>> a malicious user can cause a UAF and a double free, which may lead to
>>>> RCE (may also lead to an LPE in case the attacker already has local
>>>> privileges)."
>>>>
>>>> Hence, when a queue initialization fails after the ahash requests are
>>>> allocated, it is guaranteed that the queue removal async work will be
>>>> called, hence leave the deallocation to the queue removal.
>>>>
>>>> Also, be extra careful not to continue processing the socket, so set
>>>> queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>>>>
>>>> Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>> Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
>>>
>>> Would it be better to add Fixes: and Cc: stable lines?
>>
>> This issue existed since the introduction of the driver, I am not sure
>> it applies cleanly that far back...
>>
>> I figured that the description and Reported-by tag will trigger stable
>> kernel pick up...
>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree. Please read:
> https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
>
> </formletter>
I could have sworn to have seen patches that did not have stable CCd
nor a Fixes tag and was picked up for stable kernels :)
But I guess those were either hallucinations or someone sending patches
to stable...
I can resend with CC to stable.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-04 13:25 ` Sagi Grimberg
@ 2023-10-04 17:32 ` SeongJae Park
2023-10-06 12:21 ` Sasha Levin
1 sibling, 0 replies; 6+ messages in thread
From: SeongJae Park @ 2023-10-04 17:32 UTC (permalink / raw)
To: Sagi Grimberg
Cc: Greg KH, sj, linux-nvme, Christoph Hellwig, Keith Busch,
Chaitanya Kulkarni, zahavi.alon, stable
On Wed, 4 Oct 2023 16:25:13 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
>
> >>> Hello,
> >>>
> >>> On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
> >>>
> >>>> From Alon:
> >>>> "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
> >>>> a malicious user can cause a UAF and a double free, which may lead to
> >>>> RCE (may also lead to an LPE in case the attacker already has local
> >>>> privileges)."
> >>>>
> >>>> Hence, when a queue initialization fails after the ahash requests are
> >>>> allocated, it is guaranteed that the queue removal async work will be
> >>>> called, hence leave the deallocation to the queue removal.
> >>>>
> >>>> Also, be extra careful not to continue processing the socket, so set
> >>>> queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
> >>>>
> >>>> Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
> >>>> Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
> >>>> Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
> >>>
> >>> Would it be better to add Fixes: and Cc: stable lines?
> >>
> >> This issue existed since the introduction of the driver, I am not sure
> >> it applies cleanly that far back...
Based on the rule[1], I think people who need this fix on the old kernel would
do that. I'd just say adding Fixes: would help it, so better than nothing.
[1] https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> >>
> >> I figured that the description and Reported-by tag will trigger stable
> >> kernel pick up...
> >
> > <formletter>
> >
> > This is not the correct way to submit patches for inclusion in the
> > stable kernel tree. Please read:
> > https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > for how to do this properly.
> >
> > </formletter>
>
> I could have sworn to have seen patches that did not have stable CCd
> nor a Fixes tag and was picked up for stable kernels :)
I could also swear. Stable kernel maintainers are great at finding fixes on
their own. But I think adding those could help them avoiding any mistake, and
therefore better than nothing, again.
> But I guess those were either hallucinations or someone sending patches
> to stable...
>
> I can resend with CC to stable.
Thank you :)
Thanks,
SJ
>
> Thanks.
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-04 13:25 ` Sagi Grimberg
2023-10-04 17:32 ` SeongJae Park
@ 2023-10-06 12:21 ` Sasha Levin
1 sibling, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2023-10-06 12:21 UTC (permalink / raw)
To: Sagi Grimberg
Cc: Greg KH, sj, linux-nvme, Christoph Hellwig, Keith Busch,
Chaitanya Kulkarni, zahavi.alon, stable
On Wed, Oct 04, 2023 at 04:25:13PM +0300, Sagi Grimberg wrote:
>
>>>>Hello,
>>>>
>>>>On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
>>>>
>>>>> From Alon:
>>>>>"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
>>>>>a malicious user can cause a UAF and a double free, which may lead to
>>>>>RCE (may also lead to an LPE in case the attacker already has local
>>>>>privileges)."
>>>>>
>>>>>Hence, when a queue initialization fails after the ahash requests are
>>>>>allocated, it is guaranteed that the queue removal async work will be
>>>>>called, hence leave the deallocation to the queue removal.
>>>>>
>>>>>Also, be extra careful not to continue processing the socket, so set
>>>>>queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>>>>>
>>>>>Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>>>Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>>>Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
>>>>
>>>>Would it be better to add Fixes: and Cc: stable lines?
>>>
>>>This issue existed since the introduction of the driver, I am not sure
>>>it applies cleanly that far back...
>>>
>>>I figured that the description and Reported-by tag will trigger stable
>>>kernel pick up...
>>
>><formletter>
>>
>>This is not the correct way to submit patches for inclusion in the
>>stable kernel tree. Please read:
>> https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
>>for how to do this properly.
>>
>></formletter>
>
>I could have sworn to have seen patches that did not have stable CCd
>nor a Fixes tag and was picked up for stable kernels :)
>But I guess those were either hallucinations or someone sending patches
>to stable...
That happens, but there are no guarantees around it.
If you really want for a patch to land in stable, and want to know if
for some reason it didn't, the only way to do it is with an explicit
stable tag. Otherwise it's just "best effort".
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-10-06 12:21 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20231002105428.226515-1-sagi@grimberg.me>
2023-10-03 16:46 ` [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup sj
2023-10-04 9:41 ` Sagi Grimberg
2023-10-04 12:25 ` Greg KH
2023-10-04 13:25 ` Sagi Grimberg
2023-10-04 17:32 ` SeongJae Park
2023-10-06 12:21 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox