Linux Kernel NVMe PCI Endpoint Double Command Completion Vulnerability

A vulnerability in the Linux kernel's NVMe PCI endpoint function target driver can lead to a double command completion issue. This vulnerability is present in the NVMe over Fabrics (NVMe-oF) subsystem, specifically within the PCI endpoint function (EPF) target driver. The problem arises when the command initialization function, 'nvmet_req_init()', fails, such as when an unsupported opcode is received. The failure triggers a response queue callback that prematurely completes the command. However, the completion process is inadvertently executed twice, causing not only a duplication of response completions but also corruption of the PCI NVMe target's state, which can result in a kernel oops error.

Impact

Exploitation of this vulnerability causes a double completion of commands, sending two response signals to the host instead of one. This duplication disrupts the expected command processing flow and corrupts the state of the PCI NVMe target, leading to a kernel oops error, which is a serious indication of a fault in the kernel's operation.

Reproduction

To reproduce this vulnerability, send a command with an unsupported opcode using the 'nvme-cli' tool. For example, the admin command 'security receive' can be used. When this command is sent, 'nvmet_req_init()' fails due to the unsupported opcode, which triggers 'nvmet_pci_epf_queue_response()'. This response queue function checks the command's data length and DMA direction. If the data length is zero or the DMA direction is not set to 'DMA_TO_DEVICE', 'nvmet_pci_epf_complete_iod()' is called to complete the command. However, because 'nvmet_req_init()' has already failed, 'nvmet_pci_epf_complete_iod()' is called again in 'nvmet_pci_epf_exec_iod_work()', resulting in a double completion. This not only sends two completions to the host but also corrupts the state of the PCI NVMe target, leading to a kernel oops error.

Remediation

Users can apply the patch available in the Linux kernel stable tree to address this vulnerability. The patch is included in the upstream commit '746d0ac5a07d5da952ef258dd4d75f0b26c96476', which is part of the Linux kernel version that can be downloaded from the Linux kernel Git repository.