diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-01-25 16:09:24 +0100 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-02-01 15:57:08 +0100 |
| commit | 5dd4ff4afafddef0d56795990f9190d19326bac7 (patch) | |
| tree | 95e80c0c9bd01ad7ccd7732437fe881314401a53 | |
| parent | 9f09b87e8aec0f2665d352dc16f380d71d958f59 (diff) | |
| download | enea-kernel-cache-5dd4ff4afafddef0d56795990f9190d19326bac7.tar.gz | |
scsi: CVE-2018-14633
scsi: target: iscsi: Use hex2bin instead of a re-implementation
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-14633
https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git/commit/?h=4.19/scsi-fixes&id=1816494330a83f2a064499d8ed2797045641f92c
Change-Id: I16bfd3eec69e4aef5a238a4d65e2790ba2c88b67
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.14.x.scc | 2 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch | 188 |
2 files changed, 190 insertions, 0 deletions
diff --git a/patches/cve/4.14.x.scc b/patches/cve/4.14.x.scc index 7e8b156..78e3e2d 100644 --- a/patches/cve/4.14.x.scc +++ b/patches/cve/4.14.x.scc | |||
| @@ -1,2 +1,4 @@ | |||
| 1 | #CVEs fixed in 4.14.71: | 1 | #CVEs fixed in 4.14.71: |
| 2 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch | 2 | patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch |
| 3 | #CVEs fixed in 4.14.73: | ||
| 4 | patch CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch | ||
diff --git a/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch new file mode 100644 index 0000000..3ffd412 --- /dev/null +++ b/patches/cve/CVE-2018-14633-scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch | |||
| @@ -0,0 +1,188 @@ | |||
| 1 | From 755e45f3155cc51e37dc1cce9ccde10b84df7d93 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Vincent Pelletier <plr.vincent@gmail.com> | ||
| 3 | Date: Sun, 9 Sep 2018 04:09:26 +0000 | ||
| 4 | Subject: [PATCH] scsi: target: iscsi: Use hex2bin instead of a | ||
| 5 | re-implementation | ||
| 6 | |||
| 7 | commit 1816494330a83f2a064499d8ed2797045641f92c upstream. | ||
| 8 | |||
| 9 | This change has the following effects, in order of descreasing importance: | ||
| 10 | |||
| 11 | 1) Prevent a stack buffer overflow | ||
| 12 | |||
| 13 | 2) Do not append an unnecessary NULL to an anyway binary buffer, which | ||
| 14 | is writing one byte past client_digest when caller is: | ||
| 15 | chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); | ||
| 16 | |||
| 17 | The latter was found by KASAN (see below) when input value hes expected size | ||
| 18 | (32 hex chars), and further analysis revealed a stack buffer overflow can | ||
| 19 | happen when network-received value is longer, allowing an unauthenticated | ||
| 20 | remote attacker to smash up to 17 bytes after destination buffer (16 bytes | ||
| 21 | attacker-controlled and one null). As switching to hex2bin requires | ||
| 22 | specifying destination buffer length, and does not internally append any null, | ||
| 23 | it solves both issues. | ||
| 24 | |||
| 25 | This addresses CVE-2018-14633. | ||
| 26 | |||
| 27 | Beyond this: | ||
| 28 | |||
| 29 | - Validate received value length and check hex2bin accepted the input, to log | ||
| 30 | this rejection reason instead of just failing authentication. | ||
| 31 | |||
| 32 | - Only log received CHAP_R and CHAP_C values once they passed sanity checks. | ||
| 33 | |||
| 34 | ================================================================== | ||
| 35 | BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod] | ||
| 36 | Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021 | ||
| 37 | |||
| 38 | CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2 | ||
| 39 | Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014 | ||
| 40 | Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] | ||
| 41 | Call Trace: | ||
| 42 | dump_stack+0x71/0xac | ||
| 43 | print_address_description+0x65/0x22e | ||
| 44 | ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod] | ||
| 45 | kasan_report.cold.6+0x241/0x2fd | ||
| 46 | chap_string_to_hex+0x32/0x60 [iscsi_target_mod] | ||
| 47 | chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod] | ||
| 48 | ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod] | ||
| 49 | ? ftrace_caller_op_ptr+0xe/0xe | ||
| 50 | ? __orc_find+0x6f/0xc0 | ||
| 51 | ? unwind_next_frame+0x231/0x850 | ||
| 52 | ? kthread+0x1a0/0x1c0 | ||
| 53 | ? ret_from_fork+0x35/0x40 | ||
| 54 | ? ret_from_fork+0x35/0x40 | ||
| 55 | ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] | ||
| 56 | ? deref_stack_reg+0xd0/0xd0 | ||
| 57 | ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] | ||
| 58 | ? is_module_text_address+0xa/0x11 | ||
| 59 | ? kernel_text_address+0x4c/0x110 | ||
| 60 | ? __save_stack_trace+0x82/0x100 | ||
| 61 | ? ret_from_fork+0x35/0x40 | ||
| 62 | ? save_stack+0x8c/0xb0 | ||
| 63 | ? 0xffffffffc1660000 | ||
| 64 | ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod] | ||
| 65 | ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] | ||
| 66 | ? process_one_work+0x35c/0x640 | ||
| 67 | ? worker_thread+0x66/0x5d0 | ||
| 68 | ? kthread+0x1a0/0x1c0 | ||
| 69 | ? ret_from_fork+0x35/0x40 | ||
| 70 | ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod] | ||
| 71 | ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod] | ||
| 72 | chap_main_loop+0x172/0x570 [iscsi_target_mod] | ||
| 73 | ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod] | ||
| 74 | ? rx_data+0xd6/0x120 [iscsi_target_mod] | ||
| 75 | ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod] | ||
| 76 | ? cyc2ns_read_begin.part.2+0x90/0x90 | ||
| 77 | ? _raw_spin_lock_irqsave+0x25/0x50 | ||
| 78 | ? memcmp+0x45/0x70 | ||
| 79 | iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod] | ||
| 80 | ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod] | ||
| 81 | ? del_timer+0xe0/0xe0 | ||
| 82 | ? memset+0x1f/0x40 | ||
| 83 | ? flush_sigqueue+0x29/0xd0 | ||
| 84 | iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod] | ||
| 85 | ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod] | ||
| 86 | ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod] | ||
| 87 | process_one_work+0x35c/0x640 | ||
| 88 | worker_thread+0x66/0x5d0 | ||
| 89 | ? flush_rcu_work+0x40/0x40 | ||
| 90 | kthread+0x1a0/0x1c0 | ||
| 91 | ? kthread_bind+0x30/0x30 | ||
| 92 | ret_from_fork+0x35/0x40 | ||
| 93 | |||
| 94 | The buggy address belongs to the page: | ||
| 95 | page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 | ||
| 96 | flags: 0x17fffc000000000() | ||
| 97 | raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff | ||
| 98 | raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000 | ||
| 99 | page dumped because: kasan: bad access detected | ||
| 100 | |||
| 101 | Memory state around the buggy address: | ||
| 102 | ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00 | ||
| 103 | ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00 | ||
| 104 | >ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 | ||
| 105 | ^ | ||
| 106 | ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2 | ||
| 107 | ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 | ||
| 108 | ================================================================== | ||
| 109 | |||
| 110 | CVE: CVE-2018-14633 | ||
| 111 | Upstream-Status: Backport | ||
| 112 | |||
| 113 | Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com> | ||
| 114 | Reviewed-by: Mike Christie <mchristi@redhat.com> | ||
| 115 | Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> | ||
| 116 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 117 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 118 | --- | ||
| 119 | drivers/target/iscsi/iscsi_target_auth.c | 30 +++++++++++------------- | ||
| 120 | 1 file changed, 14 insertions(+), 16 deletions(-) | ||
| 121 | |||
| 122 | diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c | ||
| 123 | index 9518ffd8b8ba..6c3b4c022894 100644 | ||
| 124 | --- a/drivers/target/iscsi/iscsi_target_auth.c | ||
| 125 | +++ b/drivers/target/iscsi/iscsi_target_auth.c | ||
| 126 | @@ -26,18 +26,6 @@ | ||
| 127 | #include "iscsi_target_nego.h" | ||
| 128 | #include "iscsi_target_auth.h" | ||
| 129 | |||
| 130 | -static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) | ||
| 131 | -{ | ||
| 132 | - int j = DIV_ROUND_UP(len, 2), rc; | ||
| 133 | - | ||
| 134 | - rc = hex2bin(dst, src, j); | ||
| 135 | - if (rc < 0) | ||
| 136 | - pr_debug("CHAP string contains non hex digit symbols\n"); | ||
| 137 | - | ||
| 138 | - dst[j] = '\0'; | ||
| 139 | - return j; | ||
| 140 | -} | ||
| 141 | - | ||
| 142 | static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) | ||
| 143 | { | ||
| 144 | int i; | ||
| 145 | @@ -248,9 +236,16 @@ static int chap_server_compute_md5( | ||
| 146 | pr_err("Could not find CHAP_R.\n"); | ||
| 147 | goto out; | ||
| 148 | } | ||
| 149 | + if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) { | ||
| 150 | + pr_err("Malformed CHAP_R\n"); | ||
| 151 | + goto out; | ||
| 152 | + } | ||
| 153 | + if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) { | ||
| 154 | + pr_err("Malformed CHAP_R\n"); | ||
| 155 | + goto out; | ||
| 156 | + } | ||
| 157 | |||
| 158 | pr_debug("[server] Got CHAP_R=%s\n", chap_r); | ||
| 159 | - chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); | ||
| 160 | |||
| 161 | tfm = crypto_alloc_shash("md5", 0, 0); | ||
| 162 | if (IS_ERR(tfm)) { | ||
| 163 | @@ -349,9 +344,7 @@ static int chap_server_compute_md5( | ||
| 164 | pr_err("Could not find CHAP_C.\n"); | ||
| 165 | goto out; | ||
| 166 | } | ||
| 167 | - pr_debug("[server] Got CHAP_C=%s\n", challenge); | ||
| 168 | - challenge_len = chap_string_to_hex(challenge_binhex, challenge, | ||
| 169 | - strlen(challenge)); | ||
| 170 | + challenge_len = DIV_ROUND_UP(strlen(challenge), 2); | ||
| 171 | if (!challenge_len) { | ||
| 172 | pr_err("Unable to convert incoming challenge\n"); | ||
| 173 | goto out; | ||
| 174 | @@ -360,6 +353,11 @@ static int chap_server_compute_md5( | ||
| 175 | pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); | ||
| 176 | goto out; | ||
| 177 | } | ||
| 178 | + if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) { | ||
| 179 | + pr_err("Malformed CHAP_C\n"); | ||
| 180 | + goto out; | ||
| 181 | + } | ||
| 182 | + pr_debug("[server] Got CHAP_C=%s\n", challenge); | ||
| 183 | /* | ||
| 184 | * During mutual authentication, the CHAP_C generated by the | ||
| 185 | * initiator must not match the original CHAP_C generated by | ||
| 186 | -- | ||
| 187 | 2.19.2 | ||
| 188 | |||
