Bug 2125341 (CVE-2022-3169)

Summary:	CVE-2022-3169 Kernel: Request to NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET may cause a DOS.
Product:	[Other] Security Response	Reporter:	Rohit Keshri <rkeshri>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, ddepaula, debarbos, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steve.beattie, steved, tyberry, vkumar, walters, williams
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel. A denial of service flaw may occur if there is a consecutive request of the NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET through the device file of the driver, resulting in a PCIe link disconnect.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-11-25 09:24:55 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2125347
Bug Blocks:	2125338

Description Rohit Keshri 2022-09-08 16:48:28 UTC

Vulnerability Description:
--------------------------
The latest version of linux nvme driver will cause system crash when processing NVME_IOCTL_RESET and NVME_IOCTL_SUBSYS_RESET of user mode ioctl.

Attack Process Description: 

Quickly send NVME_IOCTL_SUBSYS_RESET through the device file of the driver,this operation will cause the PCIe link to be disconnected. The driver does not check the validity of the register before accessing the register. 

As a result, kernel unable to handle kernel paging request at virtual address ffff000081c42020. It is important to note that this operation does not require validation of the cap_sys_admin permission.

Trace:
******
[361245.754472] nvme nvme2: resetting controller
[361245.754500] nvme nvme2: resetting controller
[361245.761914] nvme nvme2: resetting controller
[361245.762081] nvme nvme2: resetting controller
[361245.762136] nvme nvme2: resetting controller
[361245.762246] Unable to handle kernel paging request at virtual address ffff000081c42020
[361245.762247] Mem abort info:
[361245.762248]   ESR = 0x96000047
[361245.762250]   Exception class = DABT (current EL), IL = 32 bits
[361245.762251]   SET = 0, FnV = 0
[361245.762251]   EA = 0, S1PTW = 0
[361245.762252] Data abort info:
[361245.762253]   ISV = 0, ISS = 0x00000047
[361245.762254]   CM = 0, WnR = 1
[361245.762256] swapper pgtable: 4k pages, 48-bit VAs, pgdp = 00000000c96d3c05
[361245.762258] [ffff000081c42020] pgd=00002027ffffe003, pud=00002027ffffd003, pmd=00000027df6be003, pte=0000000000000000
[361245.762263] Internal error: Oops: 96000047 [#1] SMP
[361245.767407] Process trinity-c383 (pid: 2157089, stack limit = 0xffff000099ea8000)
[361245.775244] CPU: 95 PID: 2157089 Comm: trinity-c383 Kdump: loaded Tainted: G           OE     4.19.90-vhulk2011.1.0.h352.eulerosv2r9.aarch64 #1
[361245.788669] Hardware name: Huawei TaiShan 2280 V2/BC82AMDDA, BIOS 1.08 09/15/2019
[361245.796505] pstate: 60400009 (nZCv daif +PAN -UAO)
[361245.801548] pc : nvme_pci_reg_write32+0x30/0x48 [nvme]
[361245.806954] lr : nvme_dev_ioctl+0x74/0x1f0 [nvme_core]
[361245.812353] sp : ffff000099eabd00
[361245.815856] x29: ffff000099eabd00 x28: ffff80277c503e00 
[361245.821434] x27: 0000000000000000 x26: 0000000000000000 
[361245.827009] x25: 0000000056000000 x24: ffff8027811fdd68 
[361245.832587] x23: ffff8027d26e2700 x22: 0000000000000185 
[361245.838164] x21: ffffa0277d04e238 x20: 000000004e564d65 
[361245.843740] x19: ffff000081c42020 x18: 0000000000000000 
[361245.849315] x17: 0000000000000000 x16: 0000000000000000 
[361245.854891] x15: 0000000000000000 x14: 0000000000000000 
[361245.860467] x13: 0000000000000000 x12: 0000000000000000 
[361245.866043] x11: 0000000000000000 x10: 0000000000000000 
[361245.871620] x9 : 0000000000000000 x8 : 0000000000000000 
[361245.877197] x7 : ffff000099eabda8 x6 : 0000000000000000 
[361245.882774] x5 : 0000000000000000 x4 : 0000000000000000 
[361245.888350] x3 : ffff000000b180d0 x2 : 000000004e564d65 
[361245.893929] x1 : ffff000081c42000 x0 : ffff000000aaedcc 
[361245.899508] Call trace:
[361245.906638]  nvme_pci_reg_write32+0x30/0x48 [nvme]
[361245.916366]  nvme_dev_ioctl+0x74/0x1f0 [nvme_core]
[361245.925984]  do_vfs_ioctl+0xc4/0x8c0
[361245.934237]  ksys_ioctl+0x8c/0xa0
[361245.942028]  __arm64_sys_ioctl+0x28/0x98
[361245.950291]  el0_svc_common+0x80/0x1b8
[361245.958202]  el0_svc_handler+0x78/0xe0
[361245.965904]  el0_svc+0x10/0x260
[361245.972778] Code: d503201f d5033e9f f85682a1 8b334033 (b9000274) 
[361245.982651] kernel fault(0x1) notification starting on CPU 95
[361245.992186] kernel fault(0x1) notification finished on CPU 95
[361246.001591] [kbox] catch die event on cpu 95.
[361246.009623] [kbox] catch die event, start logging.
[361246.018015] [kbox] die info:Oops:0047.
[361246.025366] [kbox] start to collect.
[361246.033241] [kbox] collected_len = 176005, g_log_buf_len_local = 1048576
[361246.043774] [kbox] save kbox pre log success.
[361246.052027] [kbox] stack:
[361246.058383] [kbox] stack grow form: 0xffff000099eabd00 to 0xffff000099eac000.
[361246.073378] [kbox] bd00: ffff000099eabd30 ffff000000aaedcc 0000000000004e45 ffffa0277d04e238
[361246.090743] [kbox] bd20: 0000000000000074 0000000000004e45 ffff000099eabd70 ffff00008038ec2c
[361246.109144] [kbox] bd40: ffff00008128a000 0000000000004e45 0000000000000074 ffff00008045ee8c
[361246.128431] [kbox] bd60: ffff000081316880 0000000000000074 ffff000099eabe00 ffff00008038f4b4
[361246.148516] [kbox] bd80: ffff8027d26e2700 0000000000000000 ffff8027d26e2700 0000000000000185
[361246.169300] [kbox] bda0: 0000000000004e45 0000000000000074 ffff000099eabd90 ffff0000801f5bc0
[361246.190529] [kbox] bdc0: ffff000099eabde0 2004bb3357eeb400 ffff000099eabe00 ffff00008038f474
[361246.212439] [kbox] bde0: ffff8027d26e2700 ffff000099eabec0 ffff8027d26e2700 2004bb3357eeb400
[361246.235176] [kbox] be00: ffff000099eabe40 ffff00008038f4f0 ffff000099eabec0 ffff000099eabec0
[361246.258513] [kbox] be20: ffffffffffffffff 0000000000000200 ffff000080aa1698 0000000000000015
[361246.282326] [kbox] be40: ffff000099eabe60 ffff000080099e98 000000000000001d ffff000080099e98
[361246.306913] [kbox] be60: ffff000099eabea0 ffff00008009a048 ffff000099eabec0 0000a0275e7d3000
[361246.332091] [kbox] be80: 00000000ffffffff 0000ffff97339614 0000000040000000 ffff000080083c0c
[361246.357695] [kbox] bea0: ffff000099eabff0 ffff000080084250 0000000000000200 ffff000080084148
..

Vulnerable code
/drivers/nvme/host/pci.c
static int nvme_pci_reg_read32(struct nvme_ctrl *ctrl, u32 off, u32 *val)
{
*val = readl(to_nvme_dev(ctrl)->bar + off);
return 0;
}

static int nvme_pci_reg_write32(struct nvme_ctrl *ctrl, u32 off, u32 val)
{
writel(val, to_nvme_dev(ctrl)->bar + off);
return 0;
}

static int nvme_pci_reg_read64(struct nvme_ctrl *ctrl, u32 off, u64 *val)
{
*val = lo_hi_readq(to_nvme_dev(ctrl)->bar + off);
return 0;
}

It's worth mentioning that I submitted this issue to Bugzilla in October last year, but I found that the issue remains unresolved to this day.
https://bugzilla.kernel.org/show_bug.cgi?id=214771

Comment 1 Rohit Keshri 2022-09-08 17:12:24 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2125347]

Comment 5 Product Security DevOps Team 2022-11-25 09:24:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3169

Comment 6 Justin M. Forbes 2022-11-30 22:19:52 UTC

This was fixed for Fedora with the 6.0.10 stable kernel updates.