question about CVE-2022-3169

[Chaitanya Kulkarni]

Lian,

On 11/10/22 02:23, linan (AK) wrote:
> Hi,
> 1e866afd4bcd("nvme: ensure subsystem reset is single threaded")
> fixed CVE-2022-3169.
> 
> IIUC, ERROR path I got in this CVE:
>             CPU1                                CPU2
> nvme_dev_ioctl                            nvme_dev_ioctl
>    nvme_reset_ctrl_sync                      nvme_reset_subsystem
>        reset_work
>          nvme_reset_work
>            nvme_setup_io_queues
>              nvme_remap_bar(dev, size)
>                if (size <= dev->bar_mapped_size)
>                  return 0;
>                iounmap
>                                                reg_write32   //error
>                ioremap
> 
> In nvme_remap_bar(), the premise of ioremap is "size > 
> dev->bar_mapped_size".
>    size = NVME_REG_DBS + ((nr_io_queues + 1) * 8 * dev->db_stride);
>      1)nr_io_queue = dev->nr_allocated_queues - 1, Onece set to
> "nvme_max_io_queues(dev) + 1" during probe time, it could not change.
>      2)db_stride is doorbell stride, it didn't change during my test
> Therefore, I cant find a way to make iounmap happen.
> 
> Could you tell me how you trigger the ERROR?
> 
> Thanks,
> Nan.
> 

Do you have a script to reproduce this ?

-ck