[fips9.2] nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() #257
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-56030 cve CVE-2025-21927 commit-author Maurizio Lombardi <mlombard@redhat.com> commit ad95bab upstream-diff Removed `nvme_tcp_c2h_term' case from `nvme_tcp_recv_pdu_supported' for the sake of consistency of `nvme_tcp_recv_pdu''s behavior relative to the upstream version, between the cases of proper and improper header. (What could be considered as "`c2h_term' type support" started with 84e0090 commit, not included in `ciqlts9_2''s history, so `nvme_tcp_recv_pdu_supported' in `ciqlts9_2' shouldn't report the `nvme_tcp_c2h_term' type as supported.) nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the allocated area and cause memory corruptions by overwriting it with the calculated digest. Fix this by rejecting packets with an unexpected header length. Fixes: 3f2304f ("nvme-tcp: add NVMe over TCP host driver") Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit ad95bab) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
kerneltoast
approved these changes
May 13, 2025
bmastbergen
merged commit 8f44fb6
into
fips-9-compliant/5.14.0-284.30.1
2 checks passed
bmastbergen
deleted the
bmastbergen_fips-9-compliant/5.14.0-284.30.1/VULN-56030
branch
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit 21ce6ab Add a detachment test case with miniq present to assert that with and without the miniq we get the same error. # ./test_progs -t tc_opts ctrliq#244 tc_opts_after:OK ctrliq#245 tc_opts_append:OK ctrliq#246 tc_opts_basic:OK ctrliq#247 tc_opts_before:OK ctrliq#248 tc_opts_chain_classic:OK ctrliq#249 tc_opts_delete_empty:OK ctrliq#250 tc_opts_demixed:OK ctrliq#251 tc_opts_detach:OK ctrliq#252 tc_opts_detach_after:OK ctrliq#253 tc_opts_detach_before:OK ctrliq#254 tc_opts_dev_cleanup:OK ctrliq#255 tc_opts_invalid:OK ctrliq#256 tc_opts_mixed:OK ctrliq#257 tc_opts_prepend:OK ctrliq#258 tc_opts_replace:OK ctrliq#259 tc_opts_revision:OK Summary: 16/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230804131112.11012-2-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit 21ce6ab) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit ccd9a8b Add several new tcx test cases to improve test coverage. This also includes a few new tests with ingress instead of clsact qdisc, to cover the fix from commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free"). # ./test_progs -t tc [...] ctrliq#234 tc_links_after:OK ctrliq#235 tc_links_append:OK ctrliq#236 tc_links_basic:OK ctrliq#237 tc_links_before:OK ctrliq#238 tc_links_chain_classic:OK ctrliq#239 tc_links_chain_mixed:OK ctrliq#240 tc_links_dev_cleanup:OK ctrliq#241 tc_links_dev_mixed:OK ctrliq#242 tc_links_ingress:OK ctrliq#243 tc_links_invalid:OK ctrliq#244 tc_links_prepend:OK ctrliq#245 tc_links_replace:OK ctrliq#246 tc_links_revision:OK ctrliq#247 tc_opts_after:OK ctrliq#248 tc_opts_append:OK ctrliq#249 tc_opts_basic:OK ctrliq#250 tc_opts_before:OK ctrliq#251 tc_opts_chain_classic:OK ctrliq#252 tc_opts_chain_mixed:OK ctrliq#253 tc_opts_delete_empty:OK ctrliq#254 tc_opts_demixed:OK ctrliq#255 tc_opts_detach:OK ctrliq#256 tc_opts_detach_after:OK ctrliq#257 tc_opts_detach_before:OK ctrliq#258 tc_opts_dev_cleanup:OK ctrliq#259 tc_opts_invalid:OK ctrliq#260 tc_opts_mixed:OK ctrliq#261 tc_opts_prepend:OK ctrliq#262 tc_opts_replace:OK ctrliq#263 tc_opts_revision:OK [...] Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit ccd9a8b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit d1a783d Add various tests to check maximum number of supported programs being attached: # ./vmtest.sh -- ./test_progs -t tc_opts [...] ./test_progs -t tc_opts [ 1.185325] bpf_testmod: loading out-of-tree module taints kernel. [ 1.186826] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel [ 1.270123] tsc: Refined TSC clocksource calibration: 3407.988 MHz [ 1.272428] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fc932722, max_idle_ns: 440795381586 ns [ 1.276408] clocksource: Switched to clocksource tsc ctrliq#252 tc_opts_after:OK ctrliq#253 tc_opts_append:OK ctrliq#254 tc_opts_basic:OK ctrliq#255 tc_opts_before:OK ctrliq#256 tc_opts_chain_classic:OK ctrliq#257 tc_opts_chain_mixed:OK ctrliq#258 tc_opts_delete_empty:OK ctrliq#259 tc_opts_demixed:OK ctrliq#260 tc_opts_detach:OK ctrliq#261 tc_opts_detach_after:OK ctrliq#262 tc_opts_detach_before:OK ctrliq#263 tc_opts_dev_cleanup:OK ctrliq#264 tc_opts_invalid:OK ctrliq#265 tc_opts_max:OK <--- (new test) ctrliq#266 tc_opts_mixed:OK ctrliq#267 tc_opts_prepend:OK ctrliq#268 tc_opts_replace:OK ctrliq#269 tc_opts_revision:OK Summary: 18/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20230929204121.20305-2-daniel@iogearbox.net (cherry picked from commit d1a783d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit f9b0879 Add a new test case which performs double query of the bpf_mprog through libbpf API, but also via raw bpf(2) syscall. This is testing to gather first the count and then in a subsequent probe the full information with the program array without clearing passed structs in between. # ./vmtest.sh -- ./test_progs -t tc_opts [...] ./test_progs -t tc_opts [ 1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz [ 1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns [ 1.402734] clocksource: Switched to clocksource tsc [ 1.426639] bpf_testmod: loading out-of-tree module taints kernel. [ 1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel ctrliq#252 tc_opts_after:OK ctrliq#253 tc_opts_append:OK ctrliq#254 tc_opts_basic:OK ctrliq#255 tc_opts_before:OK ctrliq#256 tc_opts_chain_classic:OK ctrliq#257 tc_opts_chain_mixed:OK ctrliq#258 tc_opts_delete_empty:OK ctrliq#259 tc_opts_demixed:OK ctrliq#260 tc_opts_detach:OK ctrliq#261 tc_opts_detach_after:OK ctrliq#262 tc_opts_detach_before:OK ctrliq#263 tc_opts_dev_cleanup:OK ctrliq#264 tc_opts_invalid:OK ctrliq#265 tc_opts_max:OK ctrliq#266 tc_opts_mixed:OK ctrliq#267 tc_opts_prepend:OK ctrliq#268 tc_opts_query:OK <--- (new test) ctrliq#269 tc_opts_replace:OK ctrliq#270 tc_opts_revision:OK Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20231006220655.1653-4-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit f9b0879) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit 685446b Add a new test case to query on an empty bpf_mprog and pass the revision directly into expected_revision for attachment to assert that this does succeed. ./test_progs -t tc_opts [ 1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz [ 1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns [ 1.412419] clocksource: Switched to clocksource tsc [ 1.428671] bpf_testmod: loading out-of-tree module taints kernel. [ 1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel ctrliq#252 tc_opts_after:OK ctrliq#253 tc_opts_append:OK ctrliq#254 tc_opts_basic:OK ctrliq#255 tc_opts_before:OK ctrliq#256 tc_opts_chain_classic:OK ctrliq#257 tc_opts_chain_mixed:OK ctrliq#258 tc_opts_delete_empty:OK ctrliq#259 tc_opts_demixed:OK ctrliq#260 tc_opts_detach:OK ctrliq#261 tc_opts_detach_after:OK ctrliq#262 tc_opts_detach_before:OK ctrliq#263 tc_opts_dev_cleanup:OK ctrliq#264 tc_opts_invalid:OK ctrliq#265 tc_opts_max:OK ctrliq#266 tc_opts_mixed:OK ctrliq#267 tc_opts_prepend:OK ctrliq#268 tc_opts_query:OK ctrliq#269 tc_opts_query_attach:OK <--- (new test) ctrliq#270 tc_opts_replace:OK ctrliq#271 tc_opts_revision:OK Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20231006220655.1653-6-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit 685446b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit 2451630 Add several new test cases which assert corner cases on the mprog query mechanism, for example, around passing in a too small or a larger array than the current count. ./test_progs -t tc_opts ctrliq#252 tc_opts_after:OK ctrliq#253 tc_opts_append:OK ctrliq#254 tc_opts_basic:OK ctrliq#255 tc_opts_before:OK ctrliq#256 tc_opts_chain_classic:OK ctrliq#257 tc_opts_chain_mixed:OK ctrliq#258 tc_opts_delete_empty:OK ctrliq#259 tc_opts_demixed:OK ctrliq#260 tc_opts_detach:OK ctrliq#261 tc_opts_detach_after:OK ctrliq#262 tc_opts_detach_before:OK ctrliq#263 tc_opts_dev_cleanup:OK ctrliq#264 tc_opts_invalid:OK ctrliq#265 tc_opts_max:OK ctrliq#266 tc_opts_mixed:OK ctrliq#267 tc_opts_prepend:OK ctrliq#268 tc_opts_query:OK ctrliq#269 tc_opts_query_attach:OK ctrliq#270 tc_opts_replace:OK ctrliq#271 tc_opts_revision:OK Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Alan Maguire <alan.maguire@oracle.com> Link: https://lore.kernel.org/bpf/20231017081728.24769-1-daniel@iogearbox.net (cherry picked from commit 2451630) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4 commit-author Maciej Fijalkowski <maciej.fijalkowski@intel.com> commit c511471 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/c5114710.failed Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: error_code(0x0000) - not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ ctrliq#257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] <IRQ> [1136314.452465] ? __die+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice] [1136314.528506] ice_napi_poll+0x467/0x670 [ice] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60 This comes from __xdp_return() call with xdp_buff argument passed as NULL which is supposed to be consumed by xsk_buff_free() call. To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskb_list. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpf_xdp_adjust_tail(). Fixes: 24ea501 ("xsk: support mbuf on ZC RX") Acked-by: Magnus Karlsson <magnus.karlsson@intel.com> # For the xsk header part Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Link: https://lore.kernel.org/r/20240124191602.566724-4-maciej.fijalkowski@intel.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit c511471) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/core/filter.c
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
jira VULN-56030
cve CVE-2025-21927
Same as #238
Build log
Testing
kselftests were run before and after adding the fix
selfests-5.14.0-284.30.1.el9_2.ciqfips.0.11.1.x86_64.log
selfests-5.14.0-b_f-9-c_5.14.0-284.30.1_VULN-56030-aee3a9524630+.log