CVE-2023-6536: Critical vulnerability in the Linux kernel's NVMe driver leading to kernel panic and denial of service

A recently discovered critical security vulnerability, CVE-2023-6536, in the Linux kernel's NVMe (Non-Volatile Memory Express) driver has been found to cause a kernel panic and denial of service (DoS). The flaw exists in the driver's handling of NVMe-over-TCP, which can lead to a NULL pointer dereference in the NVMe driver. This article will discuss the details of the vulnerability, provide code snippets, and link to original references for further information.

Vulnerability Details

The NVMe-over-TCP feature allows NVMe storage devices to communicate over a TCP-congested network. A bug within this implementation causes the NVMe driver to transparently discard some TCP packets that should have been accepted. An unauthenticated attacker can exploit this vulnerability by sending maliciously crafted TCP packets to the target system, causing a kernel panic and a subsequent DoS attack.

The issue occurs when the network stack receives packets with a specific arrangement of TCP flags. In this scenario, the Linux kernel will improperly process the packets and attempt to reference a NULL pointer, ultimately leading to a kernel panic.

The following code snippet showcases the problematic code segment in the NVMe driver

static void nvme_tcp_handle_icreq(struct nvme_tcp_ctrl *ctrl, void *pdu)
{
    struct nvme_tcp_icreq_pdu *icreq = pdu;

    if (!nvme_tcp_verify_icreq(ctrl, icreq))
        return;

    /*...*/

    if (!ctrl->normal_connect) {
        nvme_tcp_rq_process(ctrl); // NULL pointer dereference occurs here
    }
}

The issue lies within the nvme_tcp_handle_icreq() function, specifically when it calls nvme_tcp_rq_process(ctrl) without checking whether the pointer ctrl is valid or not.

Exploit

An attacker can exploit this vulnerability by carefully crafting a series of TCP packets that manipulate the affected system’s network stack to trigger the NULL pointer dereference. The following is an example of how one might generate such malicious TCP packets:

Original references

- CVE-2023-6536 at Mitre CVE Database
- Patch for the Linux kernel addressing this vulnerability

Conclusion

CVE-2023-6536 is a critical vulnerability that affects the Linux kernel's NVMe driver. By exploiting this flaw, an unauthenticated attacker can send crafted TCP packets, causing a NULL pointer dereference in the NVMe driver and leading to kernel panic and denial of service. It is essential for organizations and individuals to ensure they are using a patched and secure version of the Linux kernel to mitigate the risks associated with this vulnerability. Check your system and apply the necessary updates to protect your infrastructure from potential attacks.

Timeline

Published on: 02/07/2024 21:15:08 UTC
Last modified on: 03/12/2024 03:15:06 UTC