From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>,
Mike Christie <mchristi@redhat.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.14 37/64] scsi: target: iscsi: Use hex2bin instead of a re-implementation
Date: Thu, 27 Sep 2018 11:03:54 +0200 [thread overview]
Message-ID: <20180927090255.339196143@linuxfoundation.org> (raw)
In-Reply-To: <20180927090249.801943776@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Pelletier <plr.vincent@gmail.com>
commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
This change has the following effects, in order of descreasing importance:
1) Prevent a stack buffer overflow
2) Do not append an unnecessary NULL to an anyway binary buffer, which
is writing one byte past client_digest when caller is:
chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null). As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.
This addresses CVE-2018-14633.
Beyond this:
- Validate received value length and check hex2bin accepted the input, to log
this rejection reason instead of just failing authentication.
- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
dump_stack+0x71/0xac
print_address_description+0x65/0x22e
? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
kasan_report.cold.6+0x241/0x2fd
chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
? ftrace_caller_op_ptr+0xe/0xe
? __orc_find+0x6f/0xc0
? unwind_next_frame+0x231/0x850
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? ret_from_fork+0x35/0x40
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? deref_stack_reg+0xd0/0xd0
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? is_module_text_address+0xa/0x11
? kernel_text_address+0x4c/0x110
? __save_stack_trace+0x82/0x100
? ret_from_fork+0x35/0x40
? save_stack+0x8c/0xb0
? 0xffffffffc1660000
? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? process_one_work+0x35c/0x640
? worker_thread+0x66/0x5d0
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
chap_main_loop+0x172/0x570 [iscsi_target_mod]
? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
? rx_data+0xd6/0x120 [iscsi_target_mod]
? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
? cyc2ns_read_begin.part.2+0x90/0x90
? _raw_spin_lock_irqsave+0x25/0x50
? memcmp+0x45/0x70
iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
? del_timer+0xe0/0xe0
? memset+0x1f/0x40
? flush_sigqueue+0x29/0xd0
iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
process_one_work+0x35c/0x640
worker_thread+0x66/0x5d0
? flush_rcu_work+0x40/0x40
kthread+0x1a0/0x1c0
? kthread_bind+0x30/0x30
ret_from_fork+0x35/0x40
The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
^
ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -26,18 +26,6 @@
#include "iscsi_target_nego.h"
#include "iscsi_target_auth.h"
-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
-{
- int j = DIV_ROUND_UP(len, 2), rc;
-
- rc = hex2bin(dst, src, j);
- if (rc < 0)
- pr_debug("CHAP string contains non hex digit symbols\n");
-
- dst[j] = '\0';
- return j;
-}
-
static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
{
int i;
@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_R.\n");
goto out;
}
+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
pr_debug("[server] Got CHAP_R=%s\n", chap_r);
- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
tfm = crypto_alloc_shash("md5", 0, 0);
if (IS_ERR(tfm)) {
@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_C.\n");
goto out;
}
- pr_debug("[server] Got CHAP_C=%s\n", challenge);
- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
- strlen(challenge));
+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
if (!challenge_len) {
pr_err("Unable to convert incoming challenge\n");
goto out;
@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
goto out;
}
+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
+ pr_err("Malformed CHAP_C\n");
+ goto out;
+ }
+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
/*
* During mutual authentication, the CHAP_C generated by the
* initiator must not match the original CHAP_C generated by
next prev parent reply other threads:[~2018-09-27 9:19 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 9:03 [PATCH 4.14 00/64] 4.14.73-stable review Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 01/64] gso_segment: Reset skb->mac_len after modifying network header Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 02/64] ipv6: fix possible use-after-free in ip6_xmit() Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 03/64] net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 04/64] net: hp100: fix always-true check for link up state Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 05/64] pppoe: fix reception of frames with no mac header Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 06/64] qmi_wwan: set DTR for modems in forced USB2 mode Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 07/64] udp4: fix IP_CMSG_CHECKSUM for connected sockets Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 08/64] neighbour: confirm neigh entries when ARP packet is received Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 09/64] udp6: add missing checks on edumux packet processing Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 10/64] net/sched: act_sample: fix NULL dereference in the data path Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 11/64] tls: dont copy the key out of tls12_crypto_info_aes_gcm_128 Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 12/64] tls: zero the crypto information from tls_context before freeing Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 13/64] tls: clear key material from kernel memory when do_tls_setsockopt_conf fails Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 14/64] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 15/64] NFC: Fix the number of pipes Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 16/64] ASoC: cs4265: fix MMTLR Data switch control Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 17/64] ASoC: rsnd: fixup not to call clk_get/set under non-atomic Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 18/64] ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error path Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 19/64] ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 20/64] ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 21/64] ALSA: fireface: fix memory leak in ff400_switch_fetching_mode() Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 22/64] ALSA: firewire-digi00x: fix memory leak of private data Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 23/64] ALSA: firewire-tascam: " Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 24/64] ALSA: fireworks: fix memory leak of response buffer at error path Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 25/64] ALSA: oxfw: fix memory leak for model-dependent data " Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 26/64] ALSA: oxfw: fix memory leak of discovered stream formats " Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 27/64] ALSA: oxfw: fix memory leak of private data Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 28/64] platform/x86: alienware-wmi: Correct a memory leak Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 29/64] xen/netfront: dont bug in case of too many frags Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 30/64] xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 31/64] spi: fix IDR collision on systems with both fixed and dynamic SPI bus numbers Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 32/64] Revert "PCI: Add ACS quirk for Intel 300 series" Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 33/64] ring-buffer: Allow for rescheduling when removing pages Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 34/64] mm: shmem.c: Correctly annotate new inodes for lockdep Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 35/64] Revert "rpmsg: core: add support to power domains for devices" Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 36/64] Revert "uapi/linux/keyctl.h: dont use C++ reserved keyword as a struct member name" Greg Kroah-Hartman
2018-09-27 9:03 ` Greg Kroah-Hartman [this message]
2018-09-27 9:03 ` [PATCH 4.14 38/64] scsi: target: iscsi: Use bin2hex instead of a re-implementation Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 39/64] Revert "ubifs: xattr: Dont operate on deleted inodes" Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 40/64] ocfs2: fix ocfs2 read block panic Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 41/64] drm/nouveau: Fix deadlocks in nouveau_connector_detect() Greg Kroah-Hartman
2018-09-27 9:03 ` [PATCH 4.14 42/64] drm/nouveau/drm/nouveau: Dont forget to cancel hpd_work on suspend/unload Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 43/64] drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 44/64] drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 45/64] drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 46/64] drm/vc4: Fix the "no scaling" case on multi-planar YUV formats Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 47/64] drm: udl: Destroy framebuffer only if it was initialized Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 48/64] drm/amdgpu: add new polaris pci id Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 49/64] drm/atomic: Use drm_drv_uses_atomic_modeset() for debugfs creation Greg Kroah-Hartman
2018-09-27 18:00 ` Jon Hunter
2018-09-27 19:01 ` Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 50/64] tty: vt_ioctl: fix potential Spectre v1 Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 51/64] ext4: check to make sure the rename(2)s destination is not freed Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 52/64] ext4: avoid divide by zero fault when deleting corrupted inline directories Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 53/64] ext4: avoid arithemetic overflow that can trigger a BUG Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 54/64] ext4: recalucate superblock checksum after updating free blocks/inodes Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 55/64] ext4: fix online resizes handling of a too-small final block group Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 56/64] ext4: fix online resizing for bigalloc file systems with a 1k block size Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 57/64] ext4: dont mark mmp buffer head dirty Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 58/64] ext4: show test_dummy_encryption mount option in /proc/mounts Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 59/64] sched/fair: Fix vruntime_normalized() for remote non-migration wakeup Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 60/64] PCI: aardvark: Size bridges before resources allocation Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 61/64] vmw_balloon: include asm/io.h Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 62/64] iw_cxgb4: only allow 1 flush on user qps Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 63/64] tick/nohz: Prevent bogus softirq pending warning Greg Kroah-Hartman
2018-09-27 9:04 ` [PATCH 4.14 64/64] crypto: x86/aegis,morus - Do not require OSXSAVE for SSE2 Greg Kroah-Hartman
2018-09-27 11:30 ` Sudip Mukherjee
2018-09-27 12:40 ` Greg Kroah-Hartman
2018-09-27 19:00 ` [PATCH 4.14 00/64] 4.14.73-stable review Nathan Chancellor
2018-09-27 19:20 ` Greg Kroah-Hartman
2018-09-27 19:57 ` Rafael David Tinoco
2018-09-27 20:10 ` Shuah Khan
2018-09-27 20:56 ` Sudip Mukherjee
2018-09-27 21:45 ` Sudip Mukherjee
2018-09-28 4:46 ` Greg Kroah-Hartman
2018-09-27 21:56 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180927090255.339196143@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).