CVE-2024-41079
Daniel Wagner (1): [Backport] nvmet: always initialize cqe.result
drivers/nvme/target/core.c | 1 + drivers/nvme/target/fabrics-cmd.c | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-)
From: Daniel Wagner dwagner@suse.de
mainline inclusion from mainline-v6.10-rc4 commit cd0c1b8e045a8d2785342b385cb2684d9b48e426 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEMT CVE: CVE-2024-41079
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
The spec doesn't mandate that the first two double words (aka results) for the command queue entry need to be set to 0 when they are not used (not specified). Though, the target implemention returns 0 for TCP and FC but not for RDMA.
Let's make RDMA behave the same and thus explicitly initializing the result field. This prevents leaking any data from the stack.
Signed-off-by: Daniel Wagner dwagner@suse.de Reviewed-by: Christoph Hellwig hch@lst.de Signed-off-by: Keith Busch kbusch@kernel.org Conflicts: drivers/nvme/target/fabrics-cmd-auth.c [removed file] Signed-off-by: Yuntao Liu liuyuntao12@huawei.com --- drivers/nvme/target/core.c | 1 + drivers/nvme/target/fabrics-cmd.c | 6 ------ 2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c index bc88ff2912f5..2a0e7066c801 100644 --- a/drivers/nvme/target/core.c +++ b/drivers/nvme/target/core.c @@ -908,6 +908,7 @@ bool nvmet_req_init(struct nvmet_req *req, struct nvmet_cq *cq, req->metadata_sg_cnt = 0; req->transfer_len = 0; req->metadata_len = 0; + req->cqe->result.u64 = 0; req->cqe->status = 0; req->cqe->sq_head = 0; req->ns = NULL; diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c index 66506a70310d..870f4b5cf903 100644 --- a/drivers/nvme/target/fabrics-cmd.c +++ b/drivers/nvme/target/fabrics-cmd.c @@ -170,9 +170,6 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) if (status) goto out;
- /* zero out initial completion result, assign values as needed */ - req->cqe->result.u32 = 0; - if (c->recfmt != 0) { pr_warn("invalid connect version (%d).\n", le16_to_cpu(c->recfmt)); @@ -242,9 +239,6 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) if (status) goto out;
- /* zero out initial completion result, assign values as needed */ - req->cqe->result.u32 = 0; - if (c->recfmt != 0) { pr_warn("invalid connect version (%d).\n", le16_to_cpu(c->recfmt));
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10712 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10712 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...