linux/drivers/target
Vincent Pelletier 1816494330 scsi: target: iscsi: Use hex2bin instead of a re-implementation
This change has the following effects, in order of descreasing importance:

1) Prevent a stack buffer overflow

2) Do not append an unnecessary NULL to an anyway binary buffer, which
   is writing one byte past client_digest when caller is:
   chap_string_to_hex(client_digest, chap_r, strlen(chap_r));

The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null).  As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.

This addresses CVE-2018-14633.

Beyond this:

- Validate received value length and check hex2bin accepted the input, to log
  this rejection reason instead of just failing authentication.

- Only log received CHAP_R and CHAP_C values once they passed sanity checks.

==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021

CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G           O      4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
 dump_stack+0x71/0xac
 print_address_description+0x65/0x22e
 ? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
 kasan_report.cold.6+0x241/0x2fd
 chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
 chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
 ? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
 ? ftrace_caller_op_ptr+0xe/0xe
 ? __orc_find+0x6f/0xc0
 ? unwind_next_frame+0x231/0x850
 ? kthread+0x1a0/0x1c0
 ? ret_from_fork+0x35/0x40
 ? ret_from_fork+0x35/0x40
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? deref_stack_reg+0xd0/0xd0
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? is_module_text_address+0xa/0x11
 ? kernel_text_address+0x4c/0x110
 ? __save_stack_trace+0x82/0x100
 ? ret_from_fork+0x35/0x40
 ? save_stack+0x8c/0xb0
 ? 0xffffffffc1660000
 ? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
 ? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? process_one_work+0x35c/0x640
 ? worker_thread+0x66/0x5d0
 ? kthread+0x1a0/0x1c0
 ? ret_from_fork+0x35/0x40
 ? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
 ? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
 chap_main_loop+0x172/0x570 [iscsi_target_mod]
 ? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
 ? rx_data+0xd6/0x120 [iscsi_target_mod]
 ? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
 ? cyc2ns_read_begin.part.2+0x90/0x90
 ? _raw_spin_lock_irqsave+0x25/0x50
 ? memcmp+0x45/0x70
 iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
 ? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
 ? del_timer+0xe0/0xe0
 ? memset+0x1f/0x40
 ? flush_sigqueue+0x29/0xd0
 iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
 ? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
 ? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
 process_one_work+0x35c/0x640
 worker_thread+0x66/0x5d0
 ? flush_rcu_work+0x40/0x40
 kthread+0x1a0/0x1c0
 ? kthread_bind+0x30/0x30
 ret_from_fork+0x35/0x40

The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
 ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
                                              ^
 ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
 ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================

Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2018-09-21 12:31:13 -04:00
..
iscsi scsi: target: iscsi: Use hex2bin instead of a re-implementation 2018-09-21 12:31:13 -04:00
loopback SCSI misc on 20180815 2018-08-15 22:06:26 -07:00
sbp scsi: target: srp, vscsi, sbp, qla: use target_remove_session 2018-08-02 15:29:31 -04:00
tcm_fc scsi: tcm_fc: use target_remove_session 2018-08-02 15:29:31 -04:00
Kconfig target: don't depend on SCSI 2018-08-02 15:19:49 -06:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
target_core_alua.c target: fix ALUA state file path truncation 2017-11-04 15:00:30 -07:00
target_core_alua.h Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending 2017-11-24 19:19:20 -10:00
target_core_configfs.c scsi: target: add helper to check if dev is configured 2018-07-30 23:17:53 -04:00
target_core_device.c scsi: target: add helper to check if dev is configured 2018-07-30 23:17:53 -04:00
target_core_fabric_configfs.c scsi: target: add helper to check if dev is configured 2018-07-30 23:17:53 -04:00
target_core_fabric_lib.c target-core: don't use "const char*" for a buffer that is written to 2018-01-12 15:07:09 -08:00
target_core_file.c scsi: target: target/file: Add support of direct and async I/O 2018-05-14 22:40:08 -04:00
target_core_file.h scsi: target: target/file: Add support of direct and async I/O 2018-05-14 22:40:08 -04:00
target_core_hba.c target: Fix target_sense_desc_format NULL pointer dereference 2015-09-24 23:17:23 -07:00
target_core_iblock.c target: convert to bioset_init()/mempool_init() 2018-05-30 15:33:32 -06:00
target_core_iblock.h target: convert to bioset_init()/mempool_init() 2018-05-30 15:33:32 -06:00
target_core_internal.h scsi: target: Fold core_tmr_handle_tas_abort() into transport_cmd_finish_abort() 2018-07-02 16:44:31 -04:00
target_core_pr.c scsi: target: Fix truncated PR-in ReadKeys response 2018-06-19 21:36:37 -04:00
target_core_pr.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
target_core_pscsi.c SCSI misc on 20180610 2018-06-10 13:01:12 -07:00
target_core_pscsi.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
target_core_rd.c target: break up free_device callback 2017-07-06 23:11:37 -07:00
target_core_rd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
target_core_sbc.c scsi: target: Use config_item_name() instead of open-coding it 2018-07-02 16:44:30 -04:00
target_core_spc.c target: Fix cmd size for PR-OUT in passthrough_parse_cdb 2017-07-09 20:58:49 -07:00
target_core_stat.c target: make config_item_type const 2017-10-19 16:15:17 +02:00
target_core_tmr.c scsi: target: Fold core_tmr_handle_tas_abort() into transport_cmd_finish_abort() 2018-07-02 16:44:31 -04:00
target_core_tpg.c target: Fix node_acl demo-mode + uncached dynamic shutdown regression 2017-08-09 20:55:19 -07:00
target_core_transport.c scsi: target: add session removal function 2018-08-02 15:29:31 -04:00
target_core_ua.c scsi: target: Remove se_dev_entry.ua_count 2018-07-02 16:44:32 -04:00
target_core_ua.h scsi: target: Fix handling of removed LUNs 2018-07-02 16:44:32 -04:00
target_core_user.c SCSI misc on 20180815 2018-08-15 22:06:26 -07:00
target_core_xcopy.c scsi: target: Introduce transport_init_session() 2018-07-02 16:44:31 -04:00
target_core_xcopy.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00