CVE-2023-52454: Resolving Linux Kernel Panic Caused by Invalid H2C PDU Length in nvmet-tcp

A critical vulnerability has been found and resolved in the Linux kernel, specifically in the nvmet-tcp module. The vulnerability, CVE-2023-52454, could lead to a kernel panic when the host sends an invalid H2C PDU length. This article provides an overview of the vulnerability, code snippet of the fix, and links to original references. This is to inform administrators, developers, and users of the Linux kernel about this important fix that enhances the stability of the Linux kernel.

In the Linux kernel, the following vulnerability has been resolved

nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length

If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec() function. This leads to an unhandled NULL pointer exception that can cause a kernel panic. The error message generated by the kernel can be seen below:

Unable to handle kernel NULL pointer dereference at
virtual address 000000000000000
lr : nvmet_tcp_io_work+x6ac/x718 [nvmet_tcp]
Call trace:
  process_one_work+x174/x3c8
  worker_thread+x2d/x3e8
  kthread+x104/x110

Fix

-----
To address this issue, raise a fatal error if DATAL isn't coherent with the packet size. You should also ensure that the PDU length never exceeds the MAXH2CDATA parameter, which has been communicated to the host in nvmet_tcp_handle_icreq().

/* Check if the given packet size is valid */
if (DATAL < MIN_PACKET_SIZE || DATAL > MAXH2CDATA) {
  pr_err("Invalid packet size received: %u\n", DATAL);
  nvmet_fatal_error(ts);
  return;
}

This fix ensures that if the DATAL value is invalid, a fatal error is raised, and the kernel is prevented from crashing because of a NULL pointer dereference.

Original References

You can find further information about the vulnerability and the fix in the Linux kernel source code repository by browsing the git commit history.

- Linux kernel source code
- Commit resolving the vulnerability

Conclusion

This article covered the details of the CVE-2023-52454 vulnerability in the Linux kernel module nvmet-tcp, which resulted in a kernel panic caused by an invalid H2C PDU length. The vulnerability has been fixed by ensuring that the DATAL value is coherent with the packet size and by preventing the PDU length from exceeding the communicated MAXH2CDATA parameter during the handling of the H2CData command. It's essential that administrators, developers, and users of Linux systems be aware of this critical fix to enhance the stability of their Linux systems.

Timeline

Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/19/2024 18:40:14 UTC