microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
WSL2-Linux-Kernel/drivers
История
Vincent Pelletier 1816494330 scsi: target: iscsi: Use hex2bin instead of a re-implementation 
This change has the following effects, in order of descreasing importance:

1) Prevent a stack buffer overflow

2) Do not append an unnecessary NULL to an anyway binary buffer, which
   is writing one byte past client_digest when caller is:
   chap_string_to_hex(client_digest, chap_r, strlen(chap_r));

The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null).  As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.

This addresses CVE-2018-14633.

Beyond this:

- Validate received value length and check hex2bin accepted the input, to log
  this rejection reason instead of just failing authentication.

- Only log received CHAP_R and CHAP_C values once they passed sanity checks.

==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021

CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G           O      4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
 dump_stack+0x71/0xac
 print_address_description+0x65/0x22e
 ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
 kasan_report.cold.6+0x241/0x2fd
 chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
 chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
 ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
 ? ftrace_caller_op_ptr+0xe/0xe
 ? __orc_find+0x6f/0xc0
 ? unwind_next_frame+0x231/0x850
 ? kthread+0x1a0/0x1c0
 ? ret_from_fork+0x35/0x40
 ? ret_from_fork+0x35/0x40
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? deref_stack_reg+0xd0/0xd0
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? is_module_text_address+0xa/0x11
 ? kernel_text_address+0x4c/0x110
 ? __save_stack_trace+0x82/0x100
 ? ret_from_fork+0x35/0x40
 ? save_stack+0x8c/0xb0
 ? 0xffffffffc1660000
 ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? process_one_work+0x35c/0x640
 ? worker_thread+0x66/0x5d0
 ? kthread+0x1a0/0x1c0
 ? ret_from_fork+0x35/0x40
 ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
 ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
 chap_main_loop+0x172/0x570 [iscsi_target_mod]
 ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
 ? rx_data+0xd6/0x120 [iscsi_target_mod]
 ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
 ? cyc2ns_read_begin.part.2+0x90/0x90
 ? _raw_spin_lock_irqsave+0x25/0x50
 ? memcmp+0x45/0x70
 iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
 ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
 ? del_timer+0xe0/0xe0
 ? memset+0x1f/0x40
 ? flush_sigqueue+0x29/0xd0
 iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
 ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
 process_one_work+0x35c/0x640
 worker_thread+0x66/0x5d0
 ? flush_rcu_work+0x40/0x40
 kthread+0x1a0/0x1c0
 ? kthread_bind+0x30/0x30
 ret_from_fork+0x35/0x40

The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
 ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
                                              ^
 ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
 ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
 		2018-09-21 12:31:13 -04:00
..
accessibility
acpi libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
amba
android android: binder: Rate-limit debug and userspace triggered err msgs 2018-08-08 11:05:47 +02:00
ata scsi: libata: Add missing newline at end of file 2018-08-27 12:26:10 -04:00
atm
auxdisplay Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
base Driver core patches for 4.19-rc1 2018-08-18 11:44:53 -07:00
bcma
block Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
bluetooth Bluetooth: mediatek: pass correct size to h4_recv_buf() 2018-08-13 15:59:39 +02:00
bus ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
cdrom cdrom: Use struct scsi_sense_hdr internally 2018-08-02 15:22:39 -06:00
char RTC for 4.19 2018-08-20 16:30:27 -07:00
clk ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
clocksource RISC-V Updates for the 4.19 Merge Window 2018-08-19 09:56:38 -07:00
connector
cpufreq ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
cpuidle More power management updates for 4.19-rc1 2018-08-22 07:42:36 -07:00
crypto Merge branch 'akpm' (patches from Andrew) 2018-08-23 19:20:12 -07:00
dax libnvdimm-for-4.19_dax-memory-failure 2018-08-25 18:43:59 -07:00
dca
devfreq Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
dio
dma Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
dma-buf
edac EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[] 2018-08-17 15:13:34 +02:00
eisa
extcon
firewire firewire: use 64-bit time_t based interfaces 2018-08-17 16:20:27 -07:00
firmware fbdev changes for v4.19: 2018-08-23 15:44:58 -07:00
fmc
fpga
fsi fsi: sbefifo: Bump max command length 2018-08-08 15:44:47 +10:00
gnss
gpio - New Drivers 2018-08-20 15:38:44 -07:00
gpu Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid 2018-08-20 15:59:01 -07:00
hsi
hv
hwmon ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
hwspinlock
hwtracing drivers/hwtracing/intel_th/msu.c: change return type to vm_fault_t 2018-08-23 18:48:43 -07:00
i2c i2c: don't use any __deprecated handling anymore 2018-08-24 17:26:43 +02:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2018-08-22 07:40:33 -07:00
idle
iio treewide: convert ISO_8859-1 text comments to utf-8 2018-08-23 18:48:43 -07:00
infiniband Second merge window update 2018-08-23 15:34:48 -07:00
input ARM: 32-bit SoC platform updates 2018-08-23 13:44:43 -07:00
iommu ARM: SoC: late updates 2018-08-25 14:12:36 -07:00
ipack
irqchip Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-08-26 09:55:28 -07:00
isdn isdn: Disable IIOCDBGVAR 2018-08-16 12:26:24 -07:00
leds leds: ns2: Change unsigned to unsigned int 2018-08-06 23:03:12 +02:00
lightnvm
macintosh macintosh: therm_windtunnel: drop using attach_adapter 2018-08-24 14:42:42 +02:00
mailbox mailbox: Add support for i.MX messaging unit 2018-08-15 09:53:07 +05:30
mcb
md libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
media Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
memory ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
memstick
message
mfd Merge branch 'i2c/for-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-08-21 17:40:46 -07:00
misc Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
mmc Merge branch 'asoc-4.19' into asoc-next 2018-08-09 14:47:05 +01:00
mtd This pull request contains updates for both UBI and UBIFS: 2018-08-23 15:58:04 -07:00
mux
net ARM: 32-bit SoC platform updates 2018-08-23 13:44:43 -07:00
nfc
ntb
nubus
nvdimm libnvdimm-for-4.19_dax-memory-failure 2018-08-25 18:43:59 -07:00
nvme Merge branch 'linus/master' into rdma.git for-next 2018-08-16 14:21:29 -06:00
nvmem
of Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-08-15 15:04:25 -07:00
opp
oprofile
parisc
parport Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
pci Merge branch 'akpm' (patches from Andrew) 2018-08-22 12:34:08 -07:00
pcmcia pcmcia: remove long deprecated pcmcia_request_exclusive_irq() function 2018-08-18 12:30:42 -07:00
perf Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
phy
pinctrl - New Drivers 2018-08-20 15:38:44 -07:00
platform platform-drivers-x86 for v4.19-1 2018-08-22 14:14:15 -07:00
pnp
power treewide: convert ISO_8859-1 text comments to utf-8 2018-08-23 18:48:43 -07:00
powercap
pps
ps3
ptp Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
pwm pwm: mediatek: Add MT7628 support 2018-08-20 11:36:07 +02:00
rapidio drivers/rapidio/devices/rio_mport_cdev.c: remove redundant pointer md 2018-08-22 10:52:51 -07:00
ras
regulator - New Drivers 2018-08-20 15:38:44 -07:00
remoteproc remoteproc/davinci: use the reset framework 2018-08-16 17:39:55 -07:00
reset ARM: SoC: late updates 2018-08-25 14:12:36 -07:00
rpmsg
rtc RTC for 4.19 2018-08-20 16:30:27 -07:00
s390 libnvdimm-for-4.19_misc 2018-08-25 18:13:10 -07:00
sbus
scsi scsi: lpfc: Synchronize access to remoteport via rport 2018-09-20 22:02:36 -04:00
sfi
sh
siox
slimbus
sn
soc ARM: Device-tree updates 2018-08-23 14:02:22 -07:00
soundwire
spi hwspinlock updates for v4.19 2018-08-18 16:45:27 -07:00
spmi
ssb ssb: Remove SSB_WARN_ON, SSB_BUG_ON and SSB_DEBUG 2018-08-09 18:47:47 +03:00
staging ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
target scsi: target: iscsi: Use hex2bin instead of a re-implementation 2018-09-21 12:31:13 -04:00
tc
tee ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2018-08-24 13:03:51 -07:00
thunderbolt
tty powerpc fixes for 4.19 #2 2018-08-24 09:34:23 -07:00
uio Char/Misc fix for 4.19-rc1 2018-08-19 09:30:44 -07:00
usb ARM: SoC driver updates 2018-08-23 13:52:46 -07:00
uwb
vfio powerpc updates for 4.19 2018-08-17 11:32:50 -07:00
vhost virtio, vhost: fixes, tweaks 2018-08-24 08:45:19 -07:00
video fbdev changes for v4.19: 2018-08-23 15:44:58 -07:00
virt
virtio virtio, vhost: fixes, tweaks 2018-08-24 08:45:19 -07:00
visorbus
vlynq
vme
w1 power supply and reset changes for the v4.19 series 2018-08-21 18:06:27 -07:00
watchdog include/linux/compiler*.h: make compiler-*.h mutually exclusive 2018-08-22 17:31:34 -07:00
xen xen: fixes and cleanups for 4.19-rc1, second round 2018-08-23 14:52:23 -07:00
zorro
Kconfig
Makefile Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00