scsi: CVE-2018-14633

scsi: target: iscsi: Use hex2bin instead of a re-implementation References: https://nvd.nist.gov/vuln/detail/CVE-2018-14633 https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=1816494330a83f2a064499d8ed2797045641f92c Change-Id: I16bfd3eec69e4aef5a238a4d65e2790ba2c88b67 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-01-25 16:09:24 +0100
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-02-01 15:57:08 +0100
commit: 5dd4ff4afafddef0d56795990f9190d19326bac7 (patch)
tree: 95e80c0c9bd01ad7ccd7732437fe881314401a53
parent: 9f09b87e8aec0f2665d352dc16f380d71d958f59 (diff)
download: enea-kernel-cache-5dd4ff4afafddef0d56795990f9190d19326bac7.tar.gz
2 files changed, 190 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc
index 7e8b156..78e3e2d 100644
--- a/patches/cve/4.14.x.scc
+++ b/patches/cve/4.14.x.scc
@@ -1,2 +1,4 @@
 #CVEs fixed in 4.14.71:
 patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
+#CVEs fixed in 4.14.73:
+patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
diff --git a/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
new file mode 100644
index 0000000..3ffd412
--- /dev/null
+++ b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
@@ -0,0 +1,188 @@
+From 755e45f3155cc51e37dc1cce9ccde10b84df7d93 Mon Sep 17 00:00:00 2001
+From: Vincent Pelletier <plr.vincent@gmail.com>
+Date: Sun, 9 Sep 2018 04:09:26 +0000
+Subject: [PATCH] scsi: target: iscsi: Use hex2bin instead of a
+ re-implementation
+commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
+This change has the following effects, in order of descreasing importance:
+1) Prevent a stack buffer overflow
+2) Do not append an unnecessary NULL to an anyway binary buffer, which
+   is writing one byte past client_digest when caller is:
+   chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
+The latter was found by KASAN (see below) when input value hes expected size
+(32 hex chars), and further analysis revealed a stack buffer overflow can
+happen when network-received value is longer, allowing an unauthenticated
+remote attacker to smash up to 17 bytes after destination buffer (16 bytes
+attacker-controlled and one null).  As switching to hex2bin requires
+specifying destination buffer length, and does not internally append any null,
+it solves both issues.
+This addresses CVE-2018-14633.
+Beyond this:
+- Validate received value length and check hex2bin accepted the input, to log
+  this rejection reason instead of just failing authentication.
+- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
+==================================================================
+BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
+Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
+CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G           O      4.17.8kasan.sess.connops+ #2
+Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
+Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
+Call Trace:
+ dump_stack+0x71/0xac
+ print_address_description+0x65/0x22e
+ ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
+ kasan_report.cold.6+0x241/0x2fd
+ chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
+ chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
+ ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
+ ? ftrace_caller_op_ptr+0xe/0xe
+ ? __orc_find+0x6f/0xc0
+ ? unwind_next_frame+0x231/0x850
+ ? kthread+0x1a0/0x1c0
+ ? ret_from_fork+0x35/0x40
+ ? ret_from_fork+0x35/0x40
+ ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
+ ? deref_stack_reg+0xd0/0xd0
+ ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
+ ? is_module_text_address+0xa/0x11
+ ? kernel_text_address+0x4c/0x110
+ ? __save_stack_trace+0x82/0x100
+ ? ret_from_fork+0x35/0x40
+ ? save_stack+0x8c/0xb0
+ ? 0xffffffffc1660000
+ ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
+ ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
+ ? process_one_work+0x35c/0x640
+ ? worker_thread+0x66/0x5d0
+ ? kthread+0x1a0/0x1c0
+ ? ret_from_fork+0x35/0x40
+ ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
+ ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
+ chap_main_loop+0x172/0x570 [iscsi_target_mod]
+ ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
+ ? rx_data+0xd6/0x120 [iscsi_target_mod]
+ ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
+ ? cyc2ns_read_begin.part.2+0x90/0x90
+ ? _raw_spin_lock_irqsave+0x25/0x50
+ ? memcmp+0x45/0x70
+ iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
+ ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
+ ? del_timer+0xe0/0xe0
+ ? memset+0x1f/0x40
+ ? flush_sigqueue+0x29/0xd0
+ iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
+ ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
+ ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
+ process_one_work+0x35c/0x640
+ worker_thread+0x66/0x5d0
+ ? flush_rcu_work+0x40/0x40
+ kthread+0x1a0/0x1c0
+ ? kthread_bind+0x30/0x30
+ ret_from_fork+0x35/0x40
+The buggy address belongs to the page:
+page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0x17fffc000000000()
+raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
+raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
+page dumped because: kasan: bad access detected
+Memory state around the buggy address:
+ ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
+ ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
+>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
+                                              ^
+ ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
+ ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
+==================================================================
+CVE: CVE-2018-14633
+Upstream-Status: Backport
+Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
+Reviewed-by: Mike Christie <mchristi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 30 +++++++++++-------------
+ 1 file changed, 14 insertions(+), 16 deletions(-)
+diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
+index 9518ffd8b8ba..6c3b4c022894 100644
+--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -26,18 +26,6 @@
+ #include "iscsi_target_nego.h"
+ #include "iscsi_target_auth.h"
+ 
+-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
+-{
+-       int j = DIV_ROUND_UP(len, 2), rc;
+-
+-       rc = hex2bin(dst, src, j);
+-       if (rc < 0)
+-               pr_debug("CHAP string contains non hex digit symbols\n");
+-
+-       dst[j] = '\0';
+-       return j;
+-}
+-
+ static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
+ {
+        int i;
+@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
+                pr_err("Could not find CHAP_R.\n");
+                goto out;
+        }
+       if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
+               pr_err("Malformed CHAP_R\n");
+               goto out;
+       }
+       if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
+               pr_err("Malformed CHAP_R\n");
+               goto out;
+       }
+ 
+        pr_debug("[server] Got CHAP_R=%s\n", chap_r);
+-       chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
+ 
+        tfm = crypto_alloc_shash("md5", 0, 0);
+        if (IS_ERR(tfm)) {
+@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
+                pr_err("Could not find CHAP_C.\n");
+                goto out;
+        }
+-       pr_debug("[server] Got CHAP_C=%s\n", challenge);
+-       challenge_len = chap_string_to_hex(challenge_binhex, challenge,
+-                               strlen(challenge));
+       challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
+        if (!challenge_len) {
+                pr_err("Unable to convert incoming challenge\n");
+                goto out;
+@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
+                pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
+                goto out;
+        }
+       if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
+               pr_err("Malformed CHAP_C\n");
+               goto out;
+       }
+       pr_debug("[server] Got CHAP_C=%s\n", challenge);
+        /*
+         * During mutual authentication, the CHAP_C generated by the
+         * initiator must not match the original CHAP_C generated by
+-- 
+2.19.2
author	Andreas Wellving <andreas.wellving@enea.com>	2019-01-25 16:09:24 +0100
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-02-01 15:57:08 +0100
commit	5dd4ff4afafddef0d56795990f9190d19326bac7 (patch)
tree	95e80c0c9bd01ad7ccd7732437fe881314401a53
parent	9f09b87e8aec0f2665d352dc16f380d71d958f59 (diff)
download	enea-kernel-cache-5dd4ff4afafddef0d56795990f9190d19326bac7.tar.gz

diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 7e8b156..78e3e2d 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc
@@ -1,2 +1,4 @@
1	#CVEs fixed in 4.14.71:	1	#CVEs fixed in 4.14.71:
2	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch	2	patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
		3	#CVEs fixed in 4.14.73:
		4	patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch


diff --git a/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch new file mode 100644 index 0000000..3ffd412 --- /dev/null +++ b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
@@ -0,0 +1,188 @@
		1	From 755e45f3155cc51e37dc1cce9ccde10b84df7d93 Mon Sep 17 00:00:00 2001
		2	From: Vincent Pelletier <plr.vincent@gmail.com>
		3	Date: Sun, 9 Sep 2018 04:09:26 +0000
		4	Subject: [PATCH] scsi: target: iscsi: Use hex2bin instead of a
		5	re-implementation
		6
		7	commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
		8
		9	This change has the following effects, in order of descreasing importance:
		10
		11	1) Prevent a stack buffer overflow
		12
		13	2) Do not append an unnecessary NULL to an anyway binary buffer, which
		14	is writing one byte past client_digest when caller is:
		15	chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
		16
		17	The latter was found by KASAN (see below) when input value hes expected size
		18	(32 hex chars), and further analysis revealed a stack buffer overflow can
		19	happen when network-received value is longer, allowing an unauthenticated
		20	remote attacker to smash up to 17 bytes after destination buffer (16 bytes
		21	attacker-controlled and one null). As switching to hex2bin requires
		22	specifying destination buffer length, and does not internally append any null,
		23	it solves both issues.
		24
		25	This addresses CVE-2018-14633.
		26
		27	Beyond this:
		28
		29	- Validate received value length and check hex2bin accepted the input, to log
		30	this rejection reason instead of just failing authentication.
		31
		32	- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
		33
		34	==================================================================
		35	BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
		36	Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
		37
		38	CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
		39	Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
		40	Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
		41	Call Trace:
		42	dump_stack+0x71/0xac
		43	print_address_description+0x65/0x22e
		44	? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
		45	kasan_report.cold.6+0x241/0x2fd
		46	chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
		47	chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
		48	? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
		49	? ftrace_caller_op_ptr+0xe/0xe
		50	? __orc_find+0x6f/0xc0
		51	? unwind_next_frame+0x231/0x850
		52	? kthread+0x1a0/0x1c0
		53	? ret_from_fork+0x35/0x40
		54	? ret_from_fork+0x35/0x40
		55	? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
		56	? deref_stack_reg+0xd0/0xd0
		57	? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
		58	? is_module_text_address+0xa/0x11
		59	? kernel_text_address+0x4c/0x110
		60	? __save_stack_trace+0x82/0x100
		61	? ret_from_fork+0x35/0x40
		62	? save_stack+0x8c/0xb0
		63	? 0xffffffffc1660000
		64	? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
		65	? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
		66	? process_one_work+0x35c/0x640
		67	? worker_thread+0x66/0x5d0
		68	? kthread+0x1a0/0x1c0
		69	? ret_from_fork+0x35/0x40
		70	? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
		71	? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
		72	chap_main_loop+0x172/0x570 [iscsi_target_mod]
		73	? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
		74	? rx_data+0xd6/0x120 [iscsi_target_mod]
		75	? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
		76	? cyc2ns_read_begin.part.2+0x90/0x90
		77	? _raw_spin_lock_irqsave+0x25/0x50
		78	? memcmp+0x45/0x70
		79	iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
		80	? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
		81	? del_timer+0xe0/0xe0
		82	? memset+0x1f/0x40
		83	? flush_sigqueue+0x29/0xd0
		84	iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
		85	? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
		86	? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
		87	process_one_work+0x35c/0x640
		88	worker_thread+0x66/0x5d0
		89	? flush_rcu_work+0x40/0x40
		90	kthread+0x1a0/0x1c0
		91	? kthread_bind+0x30/0x30
		92	ret_from_fork+0x35/0x40
		93
		94	The buggy address belongs to the page:
		95	page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
		96	flags: 0x17fffc000000000()
		97	raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
		98	raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
		99	page dumped because: kasan: bad access detected
		100
		101	Memory state around the buggy address:
		102	ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
		103	ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
		104	>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
		105	^
		106	ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
		107	ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
		108	==================================================================
		109
		110	CVE: CVE-2018-14633
		111	Upstream-Status: Backport
		112
		113	Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
		114	Reviewed-by: Mike Christie <mchristi@redhat.com>
		115	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
		116	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		117	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		118	---
		119	drivers/target/iscsi/iscsi_target_auth.c \| 30 +++++++++++-------------
		120	1 file changed, 14 insertions(+), 16 deletions(-)
		121
		122	diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
		123	index 9518ffd8b8ba..6c3b4c022894 100644
		124	--- a/drivers/target/iscsi/iscsi_target_auth.c
		125	+++ b/drivers/target/iscsi/iscsi_target_auth.c
		126	@@ -26,18 +26,6 @@
		127	#include "iscsi_target_nego.h"
		128	#include "iscsi_target_auth.h"
		129
		130	-static int chap_string_to_hex(unsigned char dst, unsigned char src, int len)
		131	-{
		132	- int j = DIV_ROUND_UP(len, 2), rc;
		133	-
		134	- rc = hex2bin(dst, src, j);
		135	- if (rc < 0)
		136	- pr_debug("CHAP string contains non hex digit symbols\n");
		137	-
		138	- dst[j] = '\0';
		139	- return j;
		140	-}
		141	-
		142	static void chap_binaryhex_to_asciihex(char dst, char src, int src_len)
		143	{
		144	int i;
		145	@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
		146	pr_err("Could not find CHAP_R.\n");
		147	goto out;
		148	}
		149	+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
		150	+ pr_err("Malformed CHAP_R\n");
		151	+ goto out;
		152	+ }
		153	+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
		154	+ pr_err("Malformed CHAP_R\n");
		155	+ goto out;
		156	+ }
		157
		158	pr_debug("[server] Got CHAP_R=%s\n", chap_r);
		159	- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
		160
		161	tfm = crypto_alloc_shash("md5", 0, 0);
		162	if (IS_ERR(tfm)) {
		163	@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
		164	pr_err("Could not find CHAP_C.\n");
		165	goto out;
		166	}
		167	- pr_debug("[server] Got CHAP_C=%s\n", challenge);
		168	- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
		169	- strlen(challenge));
		170	+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
		171	if (!challenge_len) {
		172	pr_err("Unable to convert incoming challenge\n");
		173	goto out;
		174	@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
		175	pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
		176	goto out;
		177	}
		178	+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
		179	+ pr_err("Malformed CHAP_C\n");
		180	+ goto out;
		181	+ }
		182	+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
		183	/*
		184	* During mutual authentication, the CHAP_C generated by the
		185	* initiator must not match the original CHAP_C generated by
		186	--
		187	2.19.2
		188