From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A4A73C4167B for ; Mon, 6 Nov 2023 13:22:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232454AbjKFNWr (ORCPT ); Mon, 6 Nov 2023 08:22:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232452AbjKFNWr (ORCPT ); Mon, 6 Nov 2023 08:22:47 -0500 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C78FA9 for ; Mon, 6 Nov 2023 05:22:44 -0800 (PST) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C14C0C433C7; Mon, 6 Nov 2023 13:22:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1699276964; bh=o8n1i2Sn6oL+fcbaIOeJlxb7/B9GJquWlWHZULJt+is=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jAZpPumvo1TCLcwxqcdFH8LgwNyn6GPy7q+m/msnijiTXmOyhEMWsm/Y4Bgpi2ek1 dKiRzQVndpKmjTyR+jb7F/F/Bqg2rYemo/CsZ9RCsmZaeLVJgcA+NC2uk+h+wGj4eB Y2S34LzF0fys4x7KHVjfP0vQSESKqFd4JtAqwvwU= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Alon Zahavi , Sagi Grimberg , Christoph Hellwig , Chaitanya Kulkarni , Keith Busch , Dragos-Marian Panait Subject: [PATCH 5.4 67/74] nvmet-tcp: Fix a possible UAF in queue intialization setup Date: Mon, 6 Nov 2023 14:04:27 +0100 Message-ID: <20231106130303.993818732@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231106130301.687882731@linuxfoundation.org> References: <20231106130301.687882731@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org 5.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sagi Grimberg commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream. >>From Alon: "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, a malicious user can cause a UAF and a double free, which may lead to RCE (may also lead to an LPE in case the attacker already has local privileges)." Hence, when a queue initialization fails after the ahash requests are allocated, it is guaranteed that the queue removal async work will be called, hence leave the deallocation to the queue removal. Also, be extra careful not to continue processing the socket, so set queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. Cc: stable@vger.kernel.org Reported-by: Alon Zahavi Tested-by: Alon Zahavi Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch Signed-off-by: Dragos-Marian Panait Signed-off-by: Greg Kroah-Hartman --- drivers/nvme/target/tcp.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) --- a/drivers/nvme/target/tcp.c +++ b/drivers/nvme/target/tcp.c @@ -323,6 +323,7 @@ static void nvmet_tcp_fatal_error(struct static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) { + queue->rcv_state = NVMET_TCP_RECV_ERR; if (status == -EPIPE || status == -ECONNRESET) kernel_sock_shutdown(queue->sock, SHUT_RDWR); else @@ -828,15 +829,11 @@ static int nvmet_tcp_handle_icreq(struct iov.iov_len = sizeof(*icresp); ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); if (ret < 0) - goto free_crypto; + return ret; /* queue removal will cleanup */ queue->state = NVMET_TCP_Q_LIVE; nvmet_prepare_receive_pdu(queue); return 0; -free_crypto: - if (queue->hdr_digest || queue->data_digest) - nvmet_tcp_free_crypto(queue); - return ret; } static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,