review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Sagi Grimberg <sagi@grimberg.me>
	Mon, 2 Oct 2023 10:54:28 +0000 (13:54 +0300)
committer	Keith Busch <kbusch@kernel.org>
	Tue, 10 Oct 2023 15:03:22 +0000 (08:03 -0700)
commit	d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd
tree	5404c082d6b0e59db8cb20be6f2b5bbee4cd3836	tree \| snapshot
parent	3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4	commit \| diff

nvmet-tcp: Fix a possible UAF in queue intialization setup

From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, which may lead to
RCE (may also lead to an LPE in case the attacker already has local
privileges)."

Hence, when a queue initialization fails after the ahash requests are
allocated, it is guaranteed that the queue removal async work will be
called, hence leave the deallocation to the queue removal.

Also, be extra careful not to continue processing the socket, so set
queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.

Cc: stable@vger.kernel.org
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>