Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for CVE-2023-5178 kernel-rt lts-9.2 VULN-6746 #18

Merged
merged 2 commits into from
Dec 3, 2024
Merged

Fix for CVE-2023-5178 kernel-rt lts-9.2 VULN-6746 #18

merged 2 commits into from
Dec 3, 2024

Conversation

gvrose8192
Copy link
Collaborator

@gvrose8192 gvrose8192 commented Dec 3, 2024
edited by PlaidCat
Loading

This patch fixes CVE-2023-5178 kernel-rt lts-9.2.

Commit

nvmet-tcp: Fix a possible UAF in queue intialization setup
jira VULN-6746
cve https://github.com/advisories/GHSA-xr9j-c7v6-7542
commit-author Sagi Grimberg <[email protected]>
commit https://github.com/ctrliq/kernel-src-tree/commit/d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd

From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, which may lead to
RCE (may also lead to an LPE in case the attacker already has local
privileges)."

Hence, when a queue initialization fails after the ahash requests are
allocated, it is guaranteed that the queue removal async work will be
called, hence leave the deallocation to the queue removal.

Also, be extra careful not to continue processing the socket, so set
queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.

Builds and installs:

kABI check will be skipped

/home/g.v.rose/prj/kernel-build-tmp
  CLEAN   arch/x86/crypto
  CLEAN   arch/x86/entry/vdso
  CLEAN   arch/x86/kernel/cpu
  CLEAN   arch/x86/kernel
  CLEAN   arch/x86/purgatory
  CLEAN   arch/x86/realmode/rm
  CLEAN   arch/x86/lib
  CLEAN   certs
  CLEAN   crypto/asymmetric_keys
  CLEAN   drivers/firmware/efi/libstub
  CLEAN   drivers/gpu/drm/radeon
  CLEAN   drivers/scsi
  CLEAN   drivers/tty/vt
  CLEAN   drivers/video/logo
  CLEAN   kernel
  CLEAN   lib/raid6
  CLEAN   lib
  CLEAN   net/wireless
  CLEAN   security/selinux
  CLEAN   usr/include
  CLEAN   usr
  CLEAN   arch/x86/boot/compressed
  CLEAN   arch/x86/boot
  CLEAN   arch/x86/tools
  CLEAN   vmlinux.symvers modules-only.symvers modules.builtin modules.builtin.modinfo
  CLEAN   scripts/basic
  CLEAN   scripts/genksyms
  CLEAN   scripts/kconfig
  CLEAN   scripts/mod
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config include/generated arch/x86/include/generated .config .config.old .version Module.symvers certs/signing_key.pem certs/signing_key.x509 certs/x509.genkey
[TIMER]{MRPROPER}: 15s
x86_64 architecture detected, copying config
'configs/kernel-5.14.0-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-debug-branch"
Making olddefconfig
  HOSTCC  scripts/basic/fixdep
  HOSTCC  scripts/kconfig/conf.o
  HOSTCC  scripts/kconfig/confdata.o
  HOSTCC  scripts/kconfig/expr.o
  
[SNIP]

  STRIP   /lib/modules/5.14.0-debug-branch+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-debug-branch+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-debug-branch+
[TIMER]{MODULES}: 72s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-debug-branch+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 22s
Checking kABI
kABI check skipped
Setting Default Kernel to /boot/vmlinuz-5.14.0-debug-branch+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 15s
[TIMER]{BUILD}: 993s
[TIMER]{MODULES}: 72s
[TIMER]{INSTALL}: 22s
[TIMER]{TOTAL} 1112s
Rebooting in 10 seconds

Note that the kABI check is skipped for this RT kernel. The RT kernel does not have a stable kABI and so we skip the check in this case.

boots:

[g.v.rose@rocky92-lts-rt kernel-build-tmp]$ uname -a
Linux rocky92-lts-rt 5.14.0-debug-branch+ #1 SMP PREEMPT_RT Mon Dec 2 15:27:11 PST 2024 x86_64 x86_64 x86_64 GNU/Linux

Before and after kernel selftest logs:

kernel-selftests-before.log
kernel-selftests-after.log

Interestingly - the after change tests consistently showed this improvement:
 ok 2 selftests: breakpoints: breakpoint_test
 ok 1 selftests: capabilities: test_execve
 ok 3 selftests: cgroup: test_core
+ok 4 selftests: cgroup: test_freezer
 ok 5 selftests: cgroup: test_kill
 ok 6 selftests: cgroup: test_stress.sh
 ok 7 selftests: cgroup: test_cpuset_prs.sh
@@ -54,6 +55,7 @@ ok 23 selftests: kvm: svm_int_ctl_test # SKIP
 ok 24 selftests: kvm: svm_nested_soft_inject_test # SKIP
 ok 25 selftests: kvm: tsc_scaling_sync # SKIP
 ok 26 selftests: kvm: sync_regs_test
+ok 27 selftests: kvm: ucna_injection_test
 ok 28 selftests: kvm: userspace_io_test
 ok 29 selftests: kvm: userspace_msr_exit_test
 ok 30 selftests: kvm: vmx_apic_access_test

I have no way to show that the change we made has contributed to two extra tests succeeding and do not have the time to track down why that may be the case, nevertheless the after change tests show a consistent improvement in two kernel selftest cases.

The kernel selftests were run with lockdep and kmemleak debugging enabled. No significant issues result, a few tests fail because lockdep / kmemleak / RT enabled. They fail either way with or without this change.

kernel-selftests-ldpon.log

In general, this patch is comparable to others in the series of patches to lts and rt kernels for CVE-2023-5178.

@gvrose8192
nvmet-tcp: Fix a possible UAF in queue intialization setup
9c1c8f4 
jira VULN-6746
cve CVE-2023-5178
commit-author Sagi Grimberg <[email protected]>
commit d920abd

From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, which may lead to
RCE (may also lead to an LPE in case the attacker already has local
privileges)."

Hence, when a queue initialization fails after the ahash requests are
allocated, it is guaranteed that the queue removal async work will be
called, hence leave the deallocation to the queue removal.

Also, be extra careful not to continue processing the socket, so set
queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.

	Cc: [email protected]
	Reported-by: Alon Zahavi <[email protected]>
	Tested-by: Alon Zahavi <[email protected]>
	Signed-off-by: Sagi Grimberg <[email protected]>
	Reviewed-by: Christoph Hellwig <[email protected]>
	Reviewed-by: Chaitanya Kulkarni <[email protected]>
	Signed-off-by: Keith Busch <[email protected]>
(cherry picked from commit d920abd)
	Signed-off-by: Greg Rose <[email protected]>
@gvrose8192
github actions: Remove obsolete exposed key
5293115 
As the subject says, it's obsolete and the repo it was tied to
is long gone, but it's bad form to have it there.  Requestor is
actually passed in now so the value was not used in any case.

Signed-off-by: Greg Rose <[email protected]>
PlaidCat
PlaidCat approved these changes Dec 3, 2024
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

Thanks for fixing the stale dead key as well.

@gvrose8192 gvrose8192 merged commit 5293115 into ciqlts9_2-rt Dec 3, 2024
4 checks passed
@gvrose8192 gvrose8192 deleted the gvrose_ciqlts9_2-rt branch December 3, 2024 15:48
@gvrose8192 gvrose8192 mentioned this pull request Dec 5, 2024
Merged
pvts-mat pushed a commit to pvts-mat/kernel-src-tree that referenced this pull request Jan 14, 2025
@PlaidCat
iavf: fix hang on reboot with ice
791d686 
jira LE-1907
Rebuild_History Non-Buildable kernel-rt-5.14.0-284.30.1.rt14.315.el9_2
commit-author Stefan Assmann <[email protected]>
commit 4e264be

When a system with E810 with existing VFs gets rebooted the following
hang may be observed.

 Pid 1 is hung in iavf_remove(), part of a network driver:
 PID: 1        TASK: ffff965400e5a340  CPU: 24   COMMAND: "systemd-shutdow"
  #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb
  ctrliq#1 [ffffaad04005fae8] schedule at ffffffff8b323e2d
  ctrliq#2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc
  ctrliq#3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930
  ctrliq#4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf]
  ctrliq#5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513
  ctrliq#6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa
  ctrliq#7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc
  ctrliq#8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e
  ctrliq#9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429
 ctrliq#10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4
 ctrliq#11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice]
 ctrliq#12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice]
 ctrliq#13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice]
 ctrliq#14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1
 ctrliq#15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386
 ctrliq#16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870
 ctrliq#17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6
 ctrliq#18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159
 ctrliq#19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc
 ctrliq#20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d
 ctrliq#21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169
 ctrliq#22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b
     RIP: 00007f1baa5c13d7  RSP: 00007fffbcc55a98  RFLAGS: 00000202
     RAX: ffffffffffffffda  RBX: 0000000000000000  RCX: 00007f1baa5c13d7
     RDX: 0000000001234567  RSI: 0000000028121969  RDI: 00000000fee1dead
     RBP: 00007fffbcc55ca0   R8: 0000000000000000   R9: 00007fffbcc54e90
     R10: 00007fffbcc55050  R11: 0000000000000202  R12: 0000000000000005
     R13: 0000000000000000  R14: 00007fffbcc55af0  R15: 0000000000000000
     ORIG_RAX: 00000000000000a9  CS: 0033  SS: 002b

During reboot all drivers PM shutdown callbacks are invoked.
In iavf_shutdown() the adapter state is changed to __IAVF_REMOVE.
In ice_shutdown() the call chain above is executed, which at some point
calls iavf_remove(). However iavf_remove() expects the VF to be in one
of the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If
that's not the case it sleeps forever.
So if iavf_shutdown() gets invoked before iavf_remove() the system will
hang indefinitely because the adapter is already in state __IAVF_REMOVE.

Fix this by returning from iavf_remove() if the state is __IAVF_REMOVE,
as we already went through iavf_shutdown().

Fixes: 9745780 ("iavf: Add waiting so the port is initialized in remove")
Fixes: a841733 ("iavf: Fix race condition between iavf_shutdown and iavf_remove")
	Reported-by: Marius Cornea <[email protected]>
	Signed-off-by: Stefan Assmann <[email protected]>
	Reviewed-by: Michal Kubiak <[email protected]>
	Tested-by: Rafal Romanowski <[email protected]>
	Signed-off-by: Tony Nguyen <[email protected]>
(cherry picked from commit 4e264be)
	Signed-off-by: Jonathan Maple <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gvrose8192 @PlaidCat @bmastbergen