From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vincent Pelletier <plr.vincent@gmail.com>,
Mike Christie <mchristi@redhat.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.4 16/28] scsi: target: iscsi: Use hex2bin instead of a re-implementation
Date: Thu, 27 Sep 2018 11:06:40 +0200 [thread overview]
Message-ID: <20180927090638.365266664@linuxfoundation.org> (raw)
In-Reply-To: <20180927090637.687829444@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vincent Pelletier <plr.vincent@gmail.com>
commit 1816494330a83f2a064499d8ed2797045641f92c upstream.
This change has the following effects, in order of descreasing importance:
1) Prevent a stack buffer overflow
2) Do not append an unnecessary NULL to an anyway binary buffer, which
is writing one byte past client_digest when caller is:
chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null). As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.
This addresses CVE-2018-14633.
Beyond this:
- Validate received value length and check hex2bin accepted the input, to log
this rejection reason instead of just failing authentication.
- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
dump_stack+0x71/0xac
print_address_description+0x65/0x22e
? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
kasan_report.cold.6+0x241/0x2fd
chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
? ftrace_caller_op_ptr+0xe/0xe
? __orc_find+0x6f/0xc0
? unwind_next_frame+0x231/0x850
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? ret_from_fork+0x35/0x40
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? deref_stack_reg+0xd0/0xd0
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? is_module_text_address+0xa/0x11
? kernel_text_address+0x4c/0x110
? __save_stack_trace+0x82/0x100
? ret_from_fork+0x35/0x40
? save_stack+0x8c/0xb0
? 0xffffffffc1660000
? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? process_one_work+0x35c/0x640
? worker_thread+0x66/0x5d0
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
chap_main_loop+0x172/0x570 [iscsi_target_mod]
? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
? rx_data+0xd6/0x120 [iscsi_target_mod]
? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
? cyc2ns_read_begin.part.2+0x90/0x90
? _raw_spin_lock_irqsave+0x25/0x50
? memcmp+0x45/0x70
iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
? del_timer+0xe0/0xe0
? memset+0x1f/0x40
? flush_sigqueue+0x29/0xd0
iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
process_one_work+0x35c/0x640
worker_thread+0x66/0x5d0
? flush_rcu_work+0x40/0x40
kthread+0x1a0/0x1c0
? kthread_bind+0x30/0x30
ret_from_fork+0x35/0x40
The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
^
ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -26,18 +26,6 @@
#include "iscsi_target_nego.h"
#include "iscsi_target_auth.h"
-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
-{
- int j = DIV_ROUND_UP(len, 2), rc;
-
- rc = hex2bin(dst, src, j);
- if (rc < 0)
- pr_debug("CHAP string contains non hex digit symbols\n");
-
- dst[j] = '\0';
- return j;
-}
-
static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
{
int i;
@@ -241,9 +229,16 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_R.\n");
goto out;
}
+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
pr_debug("[server] Got CHAP_R=%s\n", chap_r);
- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
if (IS_ERR(tfm)) {
@@ -348,9 +343,7 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_C.\n");
goto out;
}
- pr_debug("[server] Got CHAP_C=%s\n", challenge);
- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
- strlen(challenge));
+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
if (!challenge_len) {
pr_err("Unable to convert incoming challenge\n");
goto out;
@@ -359,6 +352,11 @@ static int chap_server_compute_md5(
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
goto out;
}
+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
+ pr_err("Malformed CHAP_C\n");
+ goto out;
+ }
+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
/*
* During mutual authentication, the CHAP_C generated by the
* initiator must not match the original CHAP_C generated by
next prev parent reply other threads:[~2018-09-27 9:33 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-27 9:06 [PATCH 4.4 00/28] 4.4.159-stable review Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 01/28] NFC: Fix possible memory corruption when handling SHDLC I-Frame commands Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 02/28] NFC: Fix the number of pipes Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 03/28] ASoC: cs4265: fix MMTLR Data switch control Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 04/28] ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 05/28] ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 06/28] platform/x86: alienware-wmi: Correct a memory leak Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 07/28] xen/netfront: dont bug in case of too many frags Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 08/28] xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 09/28] ring-buffer: Allow for rescheduling when removing pages Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 10/28] mm: shmem.c: Correctly annotate new inodes for lockdep Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 11/28] gso_segment: Reset skb->mac_len after modifying network header Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 12/28] ipv6: fix possible use-after-free in ip6_xmit() Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 13/28] net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 14/28] net: hp100: fix always-true check for link up state Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 15/28] neighbour: confirm neigh entries when ARP packet is received Greg Kroah-Hartman
2018-09-27 9:06 ` Greg Kroah-Hartman [this message]
2018-09-27 9:06 ` [PATCH 4.4 17/28] ocfs2: fix ocfs2 read block panic Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 18/28] drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect() Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 19/28] tty: vt_ioctl: fix potential Spectre v1 Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 20/28] ext4: avoid divide by zero fault when deleting corrupted inline directories Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 21/28] ext4: recalucate superblock checksum after updating free blocks/inodes Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 22/28] ext4: fix online resizes handling of a too-small final block group Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 23/28] ext4: fix online resizing for bigalloc file systems with a 1k block size Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 24/28] ext4: dont mark mmp buffer head dirty Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 25/28] arm64: Add trace_hardirqs_off annotation in ret_to_user Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 26/28] HID: sony: Update device ids Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 27/28] HID: sony: Support DS4 dongle Greg Kroah-Hartman
2018-09-27 9:06 ` [PATCH 4.4 28/28] iw_cxgb4: only allow 1 flush on user qps Greg Kroah-Hartman
2018-09-27 18:58 ` [PATCH 4.4 00/28] 4.4.159-stable review Nathan Chancellor
2018-09-27 19:47 ` Rafael David Tinoco
2018-09-27 20:19 ` Shuah Khan
2018-09-27 23:05 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180927090638.365266664@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=mchristi@redhat.com \
--cc=plr.vincent@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).