lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <D7QLI3PYQ877.1KH6K8K08P2IP@bsdbackstore.eu>
Date: Wed, 12 Feb 2025 17:07:59 +0100
From: "Maurizio Lombardi" <mlombard@...backstore.eu>
To: "Maurizio Lombardi" <mlombard@...backstore.eu>,
 "zhang.guanghui@...tc.cn" <zhang.guanghui@...tc.cn>, "sagi"
 <sagi@...mberg.me>, "mgurtovoy" <mgurtovoy@...dia.com>, "kbusch"
 <kbusch@...nel.org>, "sashal" <sashal@...nel.org>, "chunguang.xu"
 <chunguang.xu@...pee.com>
Cc: "linux-kernel" <linux-kernel@...r.kernel.org>, "linux-nvme"
 <linux-nvme@...ts.infradead.org>, "linux-block"
 <linux-block@...r.kernel.org>
Subject: Re: nvme-tcp: fix a possible UAF when failing to send request

On Wed Feb 12, 2025 at 4:33 PM CET, Maurizio Lombardi wrote:
>
> Taking a step back. Let's take a different approach and try to avoid the
> double completion.
>
> The problem here is that apparently we received a nvme_tcp_rsp capsule
> from the target, meaning that the command has been processed (I guess
> the capsule has an error status?)
>
> So maybe only part of the command has been sent?
> Why we receive the rsp capsule at all? Shouldn't this be treated as a fatal
> error by the controller?


The NVMe/TCP specification says

******
When a controller detects a fatal error, that controller shall:
  1. stop processing any PDUs that arrive on the connection; and
  2. send a C2HTermReq PDU
******

And indeed I see in the dmesg this:

nvme nvme2: unsupported pdu type (3)

This means the controller detected the problem and sent to the host the
C2HTermReq command. Upon receiving this command, the host is supposed to
close the connection.

Now I get it.

Zhang, do you have commit aeacfcefa218f4ed11da478e9b7915a37d1afaff in
your kernel, I guess you are missing it. Check it please.

Maurizio

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ