Bugzilla – Bug 1217384
VUL-0: CVE-2023-6238: kernel-source,kernel-source-azure,kernel-source-rt: nvme: memory corruption via unprivileged user passthrough
Last modified: 2024-07-08 14:30:41 UTC
A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in the Linux kernel. An unprivileged user could specify a small meta buffer and let the device perform larger Direct Memory Access (DMA) into the same buffer, overwriting unrelated kernel memory, causing random kernel crashes and memory corruption. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung.com/T/#u https://lore.kernel.org/linux-nvme/20231016060519.231880-1-joshi.k@samsung.com/T/#u
(In reply to SMASH SMASH from comment #0) > https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung. > com/T/#u We have 63263d60e0f9 ("nvme: Use metadata for passthrough commands") in cve/linux-4.12 and newer.
(In reply to SMASH SMASH from comment #0) > A buffer overflow vulnerability was found in the NVM Express (NVMe) driver in > the Linux kernel. An unprivileged user could specify a small meta buffer and > let > the device perform larger Direct Memory Access (DMA) into the same buffer, > overwriting unrelated kernel memory, causing random kernel crashes and memory > corruption. > > References: > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6238 > https://lore.kernel.org/linux-nvme/20231013051458.39987-1-joshi.k@samsung. > com/T/#u > https://lore.kernel.org/linux-nvme/20231016060519.231880-1-joshi.k@samsung. > com/T/#u Those patches are not merged to mainline yet.
Hi Daniel, Because this CVE issue relates to NVMe. Could you please help to follow and handle it? If this is not in your area, just reset bug assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert. Thanks a lot!
There is no bug fix available and I don't know when there will be a fix available. Per default the device node is only accessible by root, thus there is no additional problem because root can read/write the full disk anyway. This security problem is only relevant when non-root user are able to the access the nvme device node. Furthermore, the mentioned patches bring back CAP_SYS_ADMIN which is essentially broken (see man pages).
root needs to give a normal user write access to /dev/nvme?n? to be able to execute the passthru code path. So I consider this not really a problem right now. Though it's a real bug but not exploitable except root. There are plans to allow non root user to issue commands with io_uring. We don't support this right now. This part of the code base is still a bit fresh and needs some more stabilization work before we can even consider it to enable it. It will also need some eyes from the security folks to stare at it.
We also need to consider lockdown-bypass as scenario. eg escalating from "root" to "kernel code execution" in secure boot scenarios.
any update?
I've missed the comment. Sorry about that. As far I understand the upstream discussion, root will be able to setup commands which corrupt kernel memory. And the possible fix is discussed here: > On Thu, Oct 26, 2023 at 08:03:30PM +0530, Kanchan Joshi wrote: > > On Mon, Oct 16, 2023 at 11:16 AM Christoph Hellwig <hch@lst.de> wrote: > > > > > > On Mon, Oct 16, 2023 at 12:49:45AM +0530, Kanchan Joshi wrote: > > > > OTOH, this patch implemented a software-only way out. There are some > > > > checks, but someone (either SW or HW) has to do those to keep things > > > > right. > > > > > > It only verifies it to the read/write family of commands by > > > interpreting these commands. It still leaves a wide hole for any > > > other command. > > > > Can you please explain for what command do you see the hole? I am > > trying to see if it is really impossible to fix this hole for good. > > > > We only need to check for specific io commands of the NVM/ZNS command > > set that can do extra DMA. > > The spec defines a few commands that may use MPTR, but most of the > possible opcodes that could use it are not defined in spec. You'd have > to break forward compatibility through this interface for non-root users > by limiting its use to only the known opcodes and reject everything > else. But I don't have seen any patches for this.
No, no-one has worked on this topic, thus no progression.
still open wanted by our certifier also for SLES 15 SP4 kernel. Can you try to work on this yourself?
Fixed by these patches: 313c08c72ee7f87c54e34baec5cc4f4005e8800d nvme: don't allow unprivileged passthrough on partitions 7b7fdb8e2dbc15ad4e81a328f1c60d1691c6d6be nvme: replace the "bool vec" arguments with flags in the ioctl path 2fa1dc8637b5f3397f22b2771f8a4fb8712c10dc nvme: remove __nvme_ioctl
Thanks for identifying the fixes. I'll port them.
So after looking into these patches and also on the dependencies, I don't think we should back port them. The changes are big and invasive. These old kernel do not support to the lockdown feature so we can argue this is not a security issue (see comment#10). If we still want to do something, we could instead just disable this interface. It's very unlikely any one is using it anyway. We could make it a boot option to keep some flexibility. IIRC, only SP6 support the lockdown and for this the dependencies are not a problem as far I can tell. │
sle15sp6 and sle15sp6-ga already have the mentioned fixes from comment#18 (v6.3) I've experimented with disabling the passthru when lockdown is enabled but this doesn't work as expected. It also blocks the normal nvme-cli commands.
The fixes mentioned in comment#18 are fixing 855b7717f44b ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") e4fbcf32c860 ("nvme: identify-namespace without CAP_SYS_ADMIN") The cve/linux-5.3 and cve/linux-5.14 branches doesn't have these commit, they were released with the v6.2 upstream release. Also only cve/linux-5.3 and cvs/linux-5.14 base product support the lockdown feature. This means, only sle15sp6 was effected and the upstream fixes are already in.
seems done
Found the 'proper' fix. Which is to disable the whole thing. So we need this for sle15sp6, the other kernel branches don't have 855b7717f44b ("nvme: fine-granular CAP_SYS_ADMIN for nvme io commands") https://lore.kernel.org/linux-nvme/20231016060519.231880-1-joshi.k@samsung.com/T/#u
There was more discussion on the mentioned fix from comment#24. The right fix is this series: https://lore.kernel.org/all/20231130215309.2923568-1-kbusch@meta.com
SUSE-SU-2024:2135-1: An update that solves 428 vulnerabilities, contains 15 features and has 78 security fixes can now be installed. Category: security (important) Bug References: 1012628, 1065729, 1181674, 1187716, 1193599, 1194869, 1207948, 1208593, 1209657, 1213573, 1214852, 1215199, 1216196, 1216358, 1216702, 1217169, 1217384, 1217408, 1217489, 1217750, 1217959, 1218205, 1218336, 1218447, 1218562, 1218779, 1218917, 1219104, 1219170, 1219596, 1219623, 1219834, 1220021, 1220045, 1220120, 1220148, 1220328, 1220342, 1220428, 1220430, 1220569, 1220587, 1220738, 1220783, 1220915, 1221044, 1221276, 1221293, 1221303, 1221375, 1221504, 1221612, 1221615, 1221635, 1221645, 1221649, 1221765, 1221777, 1221783, 1221816, 1221829, 1221830, 1221858, 1222115, 1222173, 1222264, 1222273, 1222294, 1222301, 1222303, 1222304, 1222307, 1222357, 1222366, 1222368, 1222371, 1222378, 1222379, 1222385, 1222422, 1222426, 1222428, 1222437, 1222445, 1222459, 1222464, 1222489, 1222522, 1222525, 1222527, 1222531, 1222532, 1222549, 1222550, 1222557, 1222559, 1222563, 1222585, 1222586, 1222596, 1222606, 1222608, 1222613, 1222615, 1222618, 1222622, 1222624, 1222627, 1222630, 1222635, 1222721, 1222727, 1222769, 1222771, 1222772, 1222775, 1222777, 1222780, 1222782, 1222793, 1222799, 1222801, 1222968, 1223007, 1223011, 1223015, 1223016, 1223020, 1223023, 1223024, 1223030, 1223033, 1223034, 1223035, 1223038, 1223039, 1223041, 1223045, 1223046, 1223051, 1223052, 1223058, 1223060, 1223061, 1223076, 1223077, 1223084, 1223111, 1223113, 1223138, 1223143, 1223187, 1223189, 1223190, 1223191, 1223198, 1223202, 1223285, 1223315, 1223338, 1223369, 1223380, 1223384, 1223390, 1223439, 1223462, 1223532, 1223539, 1223575, 1223590, 1223591, 1223592, 1223593, 1223625, 1223628, 1223629, 1223633, 1223634, 1223637, 1223641, 1223643, 1223649, 1223650, 1223651, 1223652, 1223653, 1223654, 1223655, 1223660, 1223661, 1223663, 1223664, 1223665, 1223666, 1223668, 1223669, 1223670, 1223671, 1223675, 1223677, 1223678, 1223686, 1223692, 1223693, 1223695, 1223696, 1223698, 1223705, 1223712, 1223718, 1223728, 1223732, 1223735, 1223739, 1223741, 1223744, 1223745, 1223747, 1223748, 1223749, 1223750, 1223752, 1223754, 1223757, 1223759, 1223761, 1223762, 1223774, 1223782, 1223787, 1223788, 1223789, 1223790, 1223802, 1223805, 1223810, 1223822, 1223827, 1223831, 1223834, 1223838, 1223869, 1223870, 1223871, 1223872, 1223874, 1223944, 1223945, 1223946, 1223991, 1224076, 1224096, 1224098, 1224099, 1224137, 1224166, 1224174, 1224177, 1224180, 1224181, 1224331, 1224348, 1224423, 1224429, 1224430, 1224432, 1224433, 1224437, 1224438, 1224442, 1224443, 1224445, 1224449, 1224477, 1224479, 1224480, 1224481, 1224482, 1224486, 1224487, 1224488, 1224491, 1224492, 1224493, 1224494, 1224495, 1224500, 1224501, 1224502, 1224504, 1224505, 1224506, 1224507, 1224508, 1224509, 1224511, 1224513, 1224517, 1224519, 1224521, 1224524, 1224525, 1224526, 1224530, 1224531, 1224534, 1224537, 1224541, 1224542, 1224543, 1224546, 1224550, 1224552, 1224553, 1224555, 1224557, 1224558, 1224559, 1224562, 1224565, 1224566, 1224567, 1224568, 1224569, 1224571, 1224573, 1224576, 1224577, 1224578, 1224579, 1224580, 1224581, 1224582, 1224585, 1224586, 1224587, 1224588, 1224592, 1224596, 1224598, 1224600, 1224601, 1224602, 1224603, 1224605, 1224607, 1224608, 1224609, 1224611, 1224613, 1224615, 1224617, 1224618, 1224620, 1224621, 1224622, 1224623, 1224624, 1224626, 1224627, 1224628, 1224629, 1224630, 1224632, 1224633, 1224634, 1224636, 1224637, 1224638, 1224639, 1224640, 1224643, 1224644, 1224645, 1224646, 1224647, 1224648, 1224649, 1224650, 1224651, 1224652, 1224653, 1224654, 1224657, 1224660, 1224663, 1224664, 1224665, 1224666, 1224667, 1224668, 1224671, 1224672, 1224674, 1224675, 1224676, 1224677, 1224678, 1224679, 1224680, 1224681, 1224682, 1224683, 1224685, 1224686, 1224687, 1224688, 1224692, 1224696, 1224697, 1224699, 1224701, 1224703, 1224704, 1224705, 1224706, 1224707, 1224709, 1224710, 1224712, 1224714, 1224716, 1224717, 1224718, 1224719, 1224720, 1224721, 1224722, 1224723, 1224725, 1224727, 1224728, 1224729, 1224730, 1224731, 1224732, 1224733, 1224736, 1224738, 1224739, 1224740, 1224741, 1224742, 1224747, 1224749, 1224763, 1224764, 1224765, 1224766, 1224790, 1224792, 1224793, 1224803, 1224804, 1224866, 1224936, 1224989, 1225007, 1225053, 1225133, 1225134, 1225136, 1225172, 1225502, 1225578, 1225579, 1225580, 1225593, 1225605, 1225607, 1225610, 1225616, 1225618, 1225640, 1225642, 1225692, 1225694, 1225695, 1225696, 1225698, 1225699, 1225704, 1225705, 1225708, 1225710, 1225712, 1225714, 1225715, 1225720, 1225722, 1225728, 1225734, 1225735, 1225736, 1225747, 1225748, 1225749, 1225750, 1225756, 1225765, 1225766, 1225769, 1225773, 1225775, 1225842, 1225945 CVE References: CVE-2023-0160, CVE-2023-47233, CVE-2023-52434, CVE-2023-52458, CVE-2023-52463, CVE-2023-52472, CVE-2023-52483, CVE-2023-52492, CVE-2023-52503, CVE-2023-52591, CVE-2023-52608, CVE-2023-52616, CVE-2023-52618, CVE-2023-52631, CVE-2023-52635, CVE-2023-52640, CVE-2023-52641, CVE-2023-52645, CVE-2023-52652, CVE-2023-52653, CVE-2023-52654, CVE-2023-52655, CVE-2023-52657, CVE-2023-52658, CVE-2023-52659, CVE-2023-52660, CVE-2023-52661, CVE-2023-52662, CVE-2023-52663, CVE-2023-52664, CVE-2023-52667, CVE-2023-52669, CVE-2023-52670, CVE-2023-52671, CVE-2023-52673, CVE-2023-52674, CVE-2023-52675, CVE-2023-52676, CVE-2023-52678, CVE-2023-52679, CVE-2023-52680, CVE-2023-52681, CVE-2023-52683, CVE-2023-52685, CVE-2023-52686, CVE-2023-52687, CVE-2023-52690, CVE-2023-52691, CVE-2023-52692, CVE-2023-52693, CVE-2023-52694, CVE-2023-52695, CVE-2023-52696, CVE-2023-52697, CVE-2023-52698, CVE-2023-52771, CVE-2023-52772, CVE-2023-52860, CVE-2023-52882, CVE-2023-6238, CVE-2023-6270, CVE-2023-6531, CVE-2023-7042, CVE-2024-0639, CVE-2024-21823, CVE-2024-22099, CVE-2024-23848, CVE-2024-24861, CVE-2024-25739, CVE-2024-26601, CVE-2024-26611, CVE-2024-26614, CVE-2024-26632, CVE-2024-26638, CVE-2024-26642, CVE-2024-26643, CVE-2024-26652, CVE-2024-26654, CVE-2024-26656, CVE-2024-26657, CVE-2024-26671, CVE-2024-26673, CVE-2024-26674, CVE-2024-26675, CVE-2024-26679, CVE-2024-26684, CVE-2024-26685, CVE-2024-26692, CVE-2024-26696, CVE-2024-26697, CVE-2024-26704, CVE-2024-26714, CVE-2024-26726, CVE-2024-26731, CVE-2024-26733, CVE-2024-26736, CVE-2024-26737, CVE-2024-26739, CVE-2024-26740, CVE-2024-26742, CVE-2024-26756, CVE-2024-26757, CVE-2024-26760, CVE-2024-267600, CVE-2024-26761, CVE-2024-26764, CVE-2024-26769, CVE-2024-26772, CVE-2024-26773, CVE-2024-26774, CVE-2024-26775, CVE-2024-26779, CVE-2024-26783, CVE-2024-26786, CVE-2024-26791, CVE-2024-26793, CVE-2024-26794, CVE-2024-26802, CVE-2024-26805, CVE-2024-26807, CVE-2024-26815, CVE-2024-26816, CVE-2024-26822, CVE-2024-26828, CVE-2024-26832, CVE-2024-26836, CVE-2024-26844, CVE-2024-26846, CVE-2024-26848, CVE-2024-26853, CVE-2024-26854, CVE-2024-26855, CVE-2024-26856, CVE-2024-26857, CVE-2024-26858, CVE-2024-26860, CVE-2024-26861, CVE-2024-26862, CVE-2024-26866, CVE-2024-26868, CVE-2024-26870, CVE-2024-26878, CVE-2024-26881, CVE-2024-26882, CVE-2024-26883, CVE-2024-26884, CVE-2024-26885, CVE-2024-26898, CVE-2024-26899, CVE-2024-26900, CVE-2024-26901, CVE-2024-26903, CVE-2024-26906, CVE-2024-26909, CVE-2024-26921, CVE-2024-26922, CVE-2024-26923, CVE-2024-26925, CVE-2024-26928, CVE-2024-26932, CVE-2024-26933, CVE-2024-26934, CVE-2024-26935, CVE-2024-26937, CVE-2024-26938, CVE-2024-26940, CVE-2024-26943, CVE-2024-26945, CVE-2024-26946, CVE-2024-26948, CVE-2024-26949, CVE-2024-26950, CVE-2024-26951, CVE-2024-26956, CVE-2024-26957, CVE-2024-26958, CVE-2024-26960, CVE-2024-26961, CVE-2024-26962, CVE-2024-26963, CVE-2024-26964, CVE-2024-26972, CVE-2024-26973, CVE-2024-26978, CVE-2024-26979, CVE-2024-26981, CVE-2024-26982, CVE-2024-26983, CVE-2024-26984, CVE-2024-26986, CVE-2024-26988, CVE-2024-26989, CVE-2024-26990, CVE-2024-26991, CVE-2024-26992, CVE-2024-26993, CVE-2024-26994, CVE-2024-26995, CVE-2024-26996, CVE-2024-26997, CVE-2024-26999, CVE-2024-27000, CVE-2024-27001, CVE-2024-27002, CVE-2024-27003, CVE-2024-27004, CVE-2024-27008, CVE-2024-27013, CVE-2024-27014, CVE-2024-27022, CVE-2024-27027, CVE-2024-27028, CVE-2024-27029, CVE-2024-27030, CVE-2024-27031, CVE-2024-27036, CVE-2024-27046, CVE-2024-27056, CVE-2024-27057, CVE-2024-27062, CVE-2024-27067, CVE-2024-27080, CVE-2024-27388, CVE-2024-27389, CVE-2024-27393, CVE-2024-27395, CVE-2024-27396, CVE-2024-27398, CVE-2024-27399, CVE-2024-27400, CVE-2024-27401, CVE-2024-27405, CVE-2024-27408, CVE-2024-27410, CVE-2024-27411, CVE-2024-27412, CVE-2024-27413, CVE-2024-27416, CVE-2024-27417, CVE-2024-27418, CVE-2024-27431, CVE-2024-27432, CVE-2024-27434, CVE-2024-27435, CVE-2024-27436, CVE-2024-35784, CVE-2024-35786, CVE-2024-35788, CVE-2024-35789, CVE-2024-35790, CVE-2024-35791, CVE-2024-35794, CVE-2024-35795, CVE-2024-35796, CVE-2024-35799, CVE-2024-35800, CVE-2024-35801, CVE-2024-35803, CVE-2024-35804, CVE-2024-35806, CVE-2024-35808, CVE-2024-35809, CVE-2024-35810, CVE-2024-35811, CVE-2024-35812, CVE-2024-35813, CVE-2024-35814, CVE-2024-35815, CVE-2024-35817, CVE-2024-35819, CVE-2024-35821, CVE-2024-35822, CVE-2024-35823, CVE-2024-35824, CVE-2024-35825, CVE-2024-35828, CVE-2024-35829, CVE-2024-35830, CVE-2024-35833, CVE-2024-35834, CVE-2024-35835, CVE-2024-35836, CVE-2024-35837, CVE-2024-35838, CVE-2024-35841, CVE-2024-35842, CVE-2024-35845, CVE-2024-35847, CVE-2024-35849, CVE-2024-35850, CVE-2024-35851, CVE-2024-35852, CVE-2024-35854, CVE-2024-35860, CVE-2024-35861, CVE-2024-35862, CVE-2024-35863, CVE-2024-35864, CVE-2024-35865, CVE-2024-35866, CVE-2024-35867, CVE-2024-35868, CVE-2024-35869, CVE-2024-35870, CVE-2024-35872, CVE-2024-35875, CVE-2024-35877, CVE-2024-35878, CVE-2024-35879, CVE-2024-35883, CVE-2024-35885, CVE-2024-35887, CVE-2024-35889, CVE-2024-35891, CVE-2024-35895, CVE-2024-35901, CVE-2024-35903, CVE-2024-35904, CVE-2024-35905, CVE-2024-35907, CVE-2024-35909, CVE-2024-35911, CVE-2024-35912, CVE-2024-35914, CVE-2024-35915, CVE-2024-35916, CVE-2024-35917, CVE-2024-35921, CVE-2024-35922, CVE-2024-35924, CVE-2024-35927, CVE-2024-35928, CVE-2024-35930, CVE-2024-35931, CVE-2024-35932, CVE-2024-35933, CVE-2024-35935, CVE-2024-35936, CVE-2024-35937, CVE-2024-35938, CVE-2024-35940, CVE-2024-35943, CVE-2024-35944, CVE-2024-35945, CVE-2024-35946, CVE-2024-35947, CVE-2024-35950, CVE-2024-35951, CVE-2024-35952, CVE-2024-35953, CVE-2024-35954, CVE-2024-35955, CVE-2024-35956, CVE-2024-35958, CVE-2024-35959, CVE-2024-35960, CVE-2024-35961, CVE-2024-35963, CVE-2024-35964, CVE-2024-35965, CVE-2024-35966, CVE-2024-35967, CVE-2024-35969, CVE-2024-35971, CVE-2024-35972, CVE-2024-35973, CVE-2024-35974, CVE-2024-35975, CVE-2024-35977, CVE-2024-35978, CVE-2024-35981, CVE-2024-35982, CVE-2024-35984, CVE-2024-35986, CVE-2024-35989, CVE-2024-35990, CVE-2024-35991, CVE-2024-35992, CVE-2024-35995, CVE-2024-35997, CVE-2024-35999, CVE-2024-36002, CVE-2024-36006, CVE-2024-36007, CVE-2024-36009, CVE-2024-36011, CVE-2024-36012, CVE-2024-36013, CVE-2024-36014, CVE-2024-36015, CVE-2024-36016, CVE-2024-36018, CVE-2024-36019, CVE-2024-36020, CVE-2024-36021, CVE-2024-36025, CVE-2024-36026, CVE-2024-36029, CVE-2024-36030, CVE-2024-36032, CVE-2024-36880, CVE-2024-36885, CVE-2024-36890, CVE-2024-36891, CVE-2024-36893, CVE-2024-36894, CVE-2024-36895, CVE-2024-36896, CVE-2024-36897, CVE-2024-36898, CVE-2024-36906, CVE-2024-36918, CVE-2024-36921, CVE-2024-36922, CVE-2024-36928, CVE-2024-36930, CVE-2024-36931, CVE-2024-36936, CVE-2024-36940, CVE-2024-36941, CVE-2024-36942, CVE-2024-36944, CVE-2024-36947, CVE-2024-36949, CVE-2024-36950, CVE-2024-36951, CVE-2024-36955, CVE-2024-36959 Jira References: PED-3184, PED-3311, PED-3535, PED-4486, PED-4593, PED-5062, PED-542, PED-5728, PED-5853, PED-6079, PED-6252, PED-7542, PED-7619, PED-8111, PED-8240 Maintenance Incident: [SUSE:Maintenance:34127](https://smelt.suse.de/incident/34127/) Sources used: openSUSE Leap 15.6 (src): kernel-syms-azure-6.4.0-150600.8.5.1, kernel-source-azure-6.4.0-150600.8.5.4 Public Cloud Module 15-SP6 (src): kernel-syms-azure-6.4.0-150600.8.5.1, kernel-source-azure-6.4.0-150600.8.5.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.