nvmet-tcp: Fix a possible UAF in queue intialization setup (!3209) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

John Meneghini requested to merge johnmeneghini/centos-stream-9:nvmet_free_crypto_fix3 into main Oct 13, 2023

JIRA: https://issues.redhat.com/browse/RHEL-11488

CVE: CVE-2023-5178

JIRA: https://issues.redhat.com/browse/RHEL-11492

CVE: CVE-2023-5178

Upstream Status: git://git.infradead.org/nvme.git

From Alon: "Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, a malicious user can cause a UAF and a double free, which may lead to RCE (may also lead to an LPE in case the attacker already has local privileges)."

Hence, when a queue initialization fails after the ahash requests are allocated, it is guaranteed that the queue removal async work will be called, hence leave the deallocation to the queue removal.

Also, be extra careful not to continue processing the socket, so set queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.

Signed-off-by: John Meneghini jmeneghi@redhat.com

Edited Oct 13, 2023 by John Meneghini

Admin message

nvmet-tcp: Fix a possible UAF in queue intialization setup

Merge request reports