oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe

From: Tal Lossos <tallossos () gmail com>
Date: Thu, 12 Jan 2023 16:12:30 +0200
Hi all,

# Description
A NULL Pointer Dereference bug in nvmet_setup_auth
(drivers/nvme/target/auth.c) can be triggered remotely to cause a DoS.
Since the bug occurs in the authentication feature, it can be easily
triggered by an unauthorized client in the pre-auth stage.
Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4).

# Vulnerability
The vulnerability is caused by a missing goto statement after
assigning ctrl->ctrl_key to NULL, thus causing a NULL Pointer
Dereference afterward:
---
ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
    host->dhchap_ctrl_key_hash);
if (IS_ERR(ctrl->ctrl_key)) {
    ret = PTR_ERR(ctrl->ctrl_key);
    ctrl->ctrl_key = NULL;   <--- Assigning NULL
}

pr_debug("%s: using ctrl hash %s key %*ph\n", func,
    ctrl->ctrl_key->hash > 0 ?   <--- NULL pointer dereference
    nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
    (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
---

# Exploitation
If an invalid dhchap_ctrl_key (e.g., ‘DHHC-1:00:AAAA:’) is configured
in the NVMe target under a host object, when a remote client tries to
connect to the NVMe subsystem (e.g., NVMe-TCP), the NULL Pointer
Dereference would be triggered thus causing a DoS on the target
machine.
Running ‘nvme connect’ from a client to the remote subsystem would
cause a DoS on the remote target.
To bypass the authentication feature, we can pass the allowed client’s
NQN to the ‘nvme connect’ command, which can be obtained by network
sniffing.

# Patch
Bug report - https://lore.kernel.org/linux-nvme/20220823161255.GA21462 () lst de/T/#t
Fix patch - https://lore.kernel.org/linux-nvme/20220831045908.GC18042 () lst de/T/#u


Regards,
Tal Lossos
Previous By Date Next
Previous By Thread Next

Current thread: