[LTS 8.8] nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() #234
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-56024 cve CVE-2025-21927 commit-author Maurizio Lombardi <mlombard@redhat.com> commit ad95bab upstream-diff Removed `nvme_tcp_c2h_term' case from `nvme_tcp_recv_pdu_supported' for the sake of consistency of `nvme_tcp_recv_pdu''s behavior relative to the upstream version, between the cases of proper and improper header. (What could be considered as "`c2h_term' type support" started with 84e0090 commit, not included in `ciqlts8_8''s history, so `nvme_tcp_recv_pdu_supported' in `ciqlts8_8' shouldn't report the `nvme_tcp_c2h_term' type as supported.) nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. Fixes: 3f2304f ("nvme-tcp: add NVMe over TCP host driver") Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit ad95bab) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
changed the title
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit c6d479b Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] ctrliq#225 tc_links_after:OK ctrliq#226 tc_links_append:OK ctrliq#227 tc_links_basic:OK ctrliq#228 tc_links_before:OK ctrliq#229 tc_links_chain_classic:OK ctrliq#230 tc_links_dev_cleanup:OK ctrliq#231 tc_links_invalid:OK ctrliq#232 tc_links_prepend:OK ctrliq#233 tc_links_replace:OK ctrliq#234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230719140858.13224-9-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit c6d479b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit ccd9a8b Add several new tcx test cases to improve test coverage. This also includes a few new tests with ingress instead of clsact qdisc, to cover the fix from commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free"). # ./test_progs -t tc [...] ctrliq#234 tc_links_after:OK ctrliq#235 tc_links_append:OK ctrliq#236 tc_links_basic:OK ctrliq#237 tc_links_before:OK ctrliq#238 tc_links_chain_classic:OK ctrliq#239 tc_links_chain_mixed:OK ctrliq#240 tc_links_dev_cleanup:OK ctrliq#241 tc_links_dev_mixed:OK ctrliq#242 tc_links_ingress:OK ctrliq#243 tc_links_invalid:OK ctrliq#244 tc_links_prepend:OK ctrliq#245 tc_links_replace:OK ctrliq#246 tc_links_revision:OK ctrliq#247 tc_opts_after:OK ctrliq#248 tc_opts_append:OK ctrliq#249 tc_opts_basic:OK ctrliq#250 tc_opts_before:OK ctrliq#251 tc_opts_chain_classic:OK ctrliq#252 tc_opts_chain_mixed:OK ctrliq#253 tc_opts_delete_empty:OK ctrliq#254 tc_opts_demixed:OK ctrliq#255 tc_opts_detach:OK ctrliq#256 tc_opts_detach_after:OK ctrliq#257 tc_opts_detach_before:OK ctrliq#258 tc_opts_dev_cleanup:OK ctrliq#259 tc_opts_invalid:OK ctrliq#260 tc_opts_mixed:OK ctrliq#261 tc_opts_prepend:OK ctrliq#262 tc_opts_replace:OK ctrliq#263 tc_opts_revision:OK [...] Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit ccd9a8b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 8.8]
CVE-2025-21927
VULN-56024
Problem
https://www.cve.org/CVERecord?id=CVE-2025-21927
Analysis and Solution
Context
NVME (Non-Volatile Memory Express) is a communication protocol designed for accessing high-speed storage media, particularly solid-state drives (SSDs). NVMe over Fabrics (NVMe-oF) is an extension of the NVMe protocol that allows NVMe commands to be sent over a network fabric, enabling remote access to NVMe storage devices.
The "target" mentioned in CVE description is the host providing access to the local NVME device (the server). The host importing the remote NVME device is called simply a "host", or "initiator" (the client). The module implementing NVMe-oF on target's side is
nvmet-tcp, on the initiator's side it'snvme-tcp- the subject of this patch.Applicability
All the key options related to NVMe-oF, specifically
CONFIG_NVME_TCPenabling thenvme-tcpmodule, are enabled inciqlts8_8. Per.configfile created fromconfigs/kernel-x86_64.config:Solution
The solution in the mainline kernel is provided in the ad95bab commit. It was not backported to any stable kernel older than 6.12.
Naive cherry-picking results in conflicts with git's attempt to introduce additional functions (
nvme_tcp_tls_configured,nvme_tcp_queue_tls) and code branches (nvme_tcp_c2h_termpacket type check in thenvme_tcp_recv_pdufunction) introduced in more recent versions of the module but not related to the bug fix.A small change was made to the
nvme_tcp_recv_pdu_supportedfunction introduced in the official fix ad95bab for the sake ofnvme_tcp_recv_pdu's behavior consistency between the scenarios of receiving a packet with a proper and an improper header - the removal of thenvme_tcp_c2h_termcase.Consider the behavior cases in case a packet with a proper header was received:
Then in case a packet with an improper header was received:
Solution
ais toxnot asbis toy, but ascis toz, thus thec,zpair was chosen.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Methodology
The selftests were source-compiled from the recent
ciqlts8_8branch (commit f10433c). Thebpfsuite was run from thekernel-selftests-internalpackage.The tests were run using an explicit list which omitted certain tests known to give inconsistent results. Details in the src/run-kselftests.sh script of the
rocky-patchingproject.Coverage
android,bpf,breakpoints,capabilities,cgroup,core,cpu-hotplug,cpufreq,drivers/net/bonding,drivers/net/team,efivarfs,exec,firmware,fpu,ftrace,futex,gpio,intel_pstate,ipc,kcmp,kexec,kvm,lib,livepatch,membarrier,memfd,memory-hotplug,mount,mqueue,net(exceptip_defrag.sh,udpgso_bench.sh,txtimestamp.sh,gro.sh),net/forwarding(exceptipip_hier_gre_keys.sh,sch_ets.sh,sch_tbf_ets.sh,sch_tbf_prio.sh,sch_tbf_root.sh,tc_actions.sh)net/mptcp,netfilter(exceptnft_trans_stress.sh),nsfs,pstore,ptrace,rseq,sgx,sigaltstack,size,splice,static_keys,sync,sysctl,tc-testing,tdx,timens,timers,tpm2,user,vm,x86,zram,Reference
kselftests–mix–ciqlts8_8–run1.log
kselftests–mix–ciqlts8_8–run2.log
kselftests–mix–ciqlts8_8–run3.log
Patch
kselftests–mix–ciqlts8_8-CVE-2025-21927–run1.log
kselftests–mix–ciqlts8_8-CVE-2025-21927–run2.log
Comparison
All the differences are contained within the reference test batch itself, proving that the patch doesn't introduce any regression.
Differences highlights
net/mptcp:simult_flows.sh
This is a performance test, nondeterministic by nature.
Example of a successful run:
The failed test:
The test execution time exceeded the failing threshold by a little less than half a second.
net:reuseport_addr_any.sh
It's unclear at the moment what is the root case for the test failing in some cases and not in others. What is known however is that when it fails it's always for the same reason
net:xfrm_policy.sh
When the test fails it's always for the same reason: exceeding the timeout of 300 seconds when inserting the policies in random order.
Deeper investigation would have to be done to determine whether simply increasing the timeout would stabilize the test.
Specific tests: suspended
An attempt was made to set up the NVME-oF network between the VM (initiator) and the physical host (target). Obtained a working NVME server, as per module's dmesg
However, connection to the target was refused
Suspended the effort after some fruitless firewall adjustments. To resume on request.