nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()

PlaidCat · PlaidCat · commit 80bed8e2bf7a · 2025-05-05T16:58:44.000-04:00
jira LE-2974 cve CVE-2025-21927 Rebuild_History Non-Buildable kernel-5.14.0-503.40.1.el9_5 commit-author Maurizio Lombardi <mlombard@redhat.com> commit ad95bab Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. Fixes: 3f2304f ("nvme-tcp: add NVMe over TCP host driver") Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit ad95bab) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/nvme/host/tcp.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed b/ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed
@@ -0,0 +1,101 @@
+nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
+
+jira LE-2974
+cve CVE-2025-21927
+Rebuild_History Non-Buildable kernel-5.14.0-503.40.1.el9_5
+commit-author Maurizio Lombardi <mlombard@redhat.com>
+commit ad95bab0cd28ed77c2c0d0b6e76e03e031391064
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.40.1.el9_5/ad95bab0.failed
+
+nvme_tcp_recv_pdu() doesn't check the validity of the header length.
+When header digests are enabled, a target might send a packet with an
+invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst()
+to access memory outside the allocated area and cause memory corruptions
+by overwriting it with the calculated digest.
+
+Fix this by rejecting packets with an unexpected header length.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+	Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+	Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+	Signed-off-by: Keith Busch <kbusch@kernel.org>
+(cherry picked from commit ad95bab0cd28ed77c2c0d0b6e76e03e031391064)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/nvme/host/tcp.c
+diff --cc drivers/nvme/host/tcp.c
+index 12d3a23bd4c1,23f11527d29d..000000000000
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@@ -205,7 -217,34 +205,38 @@@ static inline int nvme_tcp_queue_id(str
+  	return queue - queue->ctrl->queues;
+  }
+  
+++<<<<<<< HEAD
+ +static inline bool nvme_tcp_tls(struct nvme_ctrl *ctrl)
+++=======
++ static inline bool nvme_tcp_recv_pdu_supported(enum nvme_tcp_pdu_type type)
++ {
++ 	switch (type) {
++ 	case nvme_tcp_c2h_term:
++ 	case nvme_tcp_c2h_data:
++ 	case nvme_tcp_r2t:
++ 	case nvme_tcp_rsp:
++ 		return true;
++ 	default:
++ 		return false;
++ 	}
++ }
++ 
++ /*
++  * Check if the queue is TLS encrypted
++  */
++ static inline bool nvme_tcp_queue_tls(struct nvme_tcp_queue *queue)
++ {
++ 	if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
++ 		return 0;
++ 
++ 	return queue->tls_enabled;
++ }
++ 
++ /*
++  * Check if TLS is configured for the controller.
++  */
++ static inline bool nvme_tcp_tls_configured(struct nvme_ctrl *ctrl)
+++>>>>>>> ad95bab0cd28 (nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu())
+  {
+  	if (!IS_ENABLED(CONFIG_NVME_TCP_TLS))
+  		return 0;
+@@@ -758,6 -831,25 +789,28 @@@ static int nvme_tcp_recv_pdu(struct nvm
+  		return 0;
+  
+  	hdr = queue->pdu;
+++<<<<<<< HEAD
+++=======
++ 	if (unlikely(hdr->hlen != sizeof(struct nvme_tcp_rsp_pdu))) {
++ 		if (!nvme_tcp_recv_pdu_supported(hdr->type))
++ 			goto unsupported_pdu;
++ 
++ 		dev_err(queue->ctrl->ctrl.device,
++ 			"pdu type %d has unexpected header length (%d)\n",
++ 			hdr->type, hdr->hlen);
++ 		return -EPROTO;
++ 	}
++ 
++ 	if (unlikely(hdr->type == nvme_tcp_c2h_term)) {
++ 		/*
++ 		 * C2HTermReq never includes Header or Data digests.
++ 		 * Skip the checks.
++ 		 */
++ 		nvme_tcp_handle_c2h_term(queue, (void *)queue->pdu);
++ 		return -EINVAL;
++ 	}
++ 
+++>>>>>>> ad95bab0cd28 (nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu())
+  	if (queue->hdr_digest) {
+  		ret = nvme_tcp_verify_hdgst(queue, queue->pdu, hdr->hlen);
+  		if (unlikely(ret))
+* Unmerged path drivers/nvme/host/tcp.c
