oss-sec mailing list archives
CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe
From: Tal Lossos <tallossos () gmail com>
Date: Thu, 12 Jan 2023 16:12:30 +0200
Hi all, # Description A NULL Pointer Dereference bug in nvmet_setup_auth (drivers/nvme/target/auth.c) can be triggered remotely to cause a DoS. Since the bug occurs in the authentication feature, it can be easily triggered by an unauthorized client in the pre-auth stage. Versions affected - v6.0-rc1 to v6.0-rc3 (fixed in v6.0-rc4). # Vulnerability The vulnerability is caused by a missing goto statement after assigning ctrl->ctrl_key to NULL, thus causing a NULL Pointer Dereference afterward: --- ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10, host->dhchap_ctrl_key_hash); if (IS_ERR(ctrl->ctrl_key)) { ret = PTR_ERR(ctrl->ctrl_key); ctrl->ctrl_key = NULL; <--- Assigning NULL } pr_debug("%s: using ctrl hash %s key %*ph\n", func, ctrl->ctrl_key->hash > 0 ? <--- NULL pointer dereference nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none", (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key); --- # Exploitation If an invalid dhchap_ctrl_key (e.g., ‘DHHC-1:00:AAAA:’) is configured in the NVMe target under a host object, when a remote client tries to connect to the NVMe subsystem (e.g., NVMe-TCP), the NULL Pointer Dereference would be triggered thus causing a DoS on the target machine. Running ‘nvme connect’ from a client to the remote subsystem would cause a DoS on the remote target. To bypass the authentication feature, we can pass the allowed client’s NQN to the ‘nvme connect’ command, which can be obtained by network sniffing. # Patch Bug report - https://lore.kernel.org/linux-nvme/20220823161255.GA21462 () lst de/T/#t Fix patch - https://lore.kernel.org/linux-nvme/20220831045908.GC18042 () lst de/T/#u Regards, Tal Lossos
Current thread:
- CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe Tal Lossos (Jan 12)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe Greg KH (Jan 12)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe John Helmert III (Jan 12)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe Greg KH (Jan 13)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe Salvatore Bonaccorso (Jan 18)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe John Helmert III (Jan 12)
- Re: CVE-2023-0122: Linux kernel: Pre-Auth Remote DoS in NVMe Greg KH (Jan 12)