From: Sasha Levin <sashal@kernel.org>
To: Sagi Grimberg <sagi@grimberg.me>
Cc: Greg KH <gregkh@linuxfoundation.org>,
sj@kernel.org, linux-nvme@lists.infradead.org,
Christoph Hellwig <hch@lst.de>, Keith Busch <kbusch@kernel.org>,
Chaitanya Kulkarni <Chaitanya.Kulkarni@wdc.com>,
zahavi.alon@gmail.com, stable@vger.kernel.org
Subject: Re: [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup
Date: Fri, 6 Oct 2023 08:21:03 -0400 [thread overview]
Message-ID: <ZR_7rzhMCkKAUN_x@sashalap> (raw)
In-Reply-To: <01901640-fc6d-5d15-3aa0-9f4586ba5141@grimberg.me>
On Wed, Oct 04, 2023 at 04:25:13PM +0300, Sagi Grimberg wrote:
>
>>>>Hello,
>>>>
>>>>On Mon, 2 Oct 2023 13:54:28 +0300 Sagi Grimberg <sagi@grimberg.me> wrote:
>>>>
>>>>> From Alon:
>>>>>"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
>>>>>a malicious user can cause a UAF and a double free, which may lead to
>>>>>RCE (may also lead to an LPE in case the attacker already has local
>>>>>privileges)."
>>>>>
>>>>>Hence, when a queue initialization fails after the ahash requests are
>>>>>allocated, it is guaranteed that the queue removal async work will be
>>>>>called, hence leave the deallocation to the queue removal.
>>>>>
>>>>>Also, be extra careful not to continue processing the socket, so set
>>>>>queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
>>>>>
>>>>>Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>>>Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
>>>>>Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
>>>>
>>>>Would it be better to add Fixes: and Cc: stable lines?
>>>
>>>This issue existed since the introduction of the driver, I am not sure
>>>it applies cleanly that far back...
>>>
>>>I figured that the description and Reported-by tag will trigger stable
>>>kernel pick up...
>>
>><formletter>
>>
>>This is not the correct way to submit patches for inclusion in the
>>stable kernel tree. Please read:
>> https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
>>for how to do this properly.
>>
>></formletter>
>
>I could have sworn to have seen patches that did not have stable CCd
>nor a Fixes tag and was picked up for stable kernels :)
>But I guess those were either hallucinations or someone sending patches
>to stable...
That happens, but there are no guarantees around it.
If you really want for a patch to land in stable, and want to know if
for some reason it didn't, the only way to do it is with an explicit
stable tag. Otherwise it's just "best effort".
--
Thanks,
Sasha
prev parent reply other threads:[~2023-10-06 12:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231002105428.226515-1-sagi@grimberg.me>
2023-10-03 16:46 ` [PATCH] nvmet-tcp: Fix a possible UAF in queue intialization setup sj
2023-10-04 9:41 ` Sagi Grimberg
2023-10-04 12:25 ` Greg KH
2023-10-04 13:25 ` Sagi Grimberg
2023-10-04 17:32 ` SeongJae Park
2023-10-06 12:21 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZR_7rzhMCkKAUN_x@sashalap \
--to=sashal@kernel.org \
--cc=Chaitanya.Kulkarni@wdc.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
--cc=sj@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zahavi.alon@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox