[PATCH AUTOSEL 6.1 08/20] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
3 views
Skip to first unread message
Sasha Levin
Jan 31, 2023, 10:00:11 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 9c0c8f34ef67..c3ad04ad66e0 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -848,7 +848,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -858,6 +858,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
@@ -958,11 +959,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
if (!cls_session)
goto remove_host;
session = cls_session->dd_data;
- tcp_sw_host = iscsi_host_priv(shost);
- tcp_sw_host->session = session;
if (iscsi_tcp_r2tpool_alloc(session))
goto remove_session;
+
+ /* We are now fully setup so expose the session to sysfs. */
+ tcp_sw_host = iscsi_host_priv(shost);
+ tcp_sw_host->session = session;
return cls_session;
remove_session:
--
2.39.0
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 9c0c8f34ef67..c3ad04ad66e0 100644
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -848,7 +848,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -858,6 +858,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
@@ -958,11 +959,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
if (!cls_session)
goto remove_host;
session = cls_session->dd_data;
- tcp_sw_host = iscsi_host_priv(shost);
- tcp_sw_host->session = session;
if (iscsi_tcp_r2tpool_alloc(session))
goto remove_session;
+
+ /* We are now fully setup so expose the session to sysfs. */
+ tcp_sw_host = iscsi_host_priv(shost);
+ tcp_sw_host->session = session;
return cls_session;
remove_session:
--
2.39.0
Sasha Levin
Jan 31, 2023, 10:00:47 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 5c19e75c0e2f..594336004190 100644
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
Sasha Levin
Jan 31, 2023, 10:01:15 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 6485c1aa9e74..252d7881f99c 100644
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -802,7 +802,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -812,6 +812,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
if (!cls_session)
goto remove_host;
session = cls_session->dd_data;
- tcp_sw_host = iscsi_host_priv(shost);
- tcp_sw_host->session = session;
shost->can_queue = session->scsi_cmds_max;
goto remove_host;
session = cls_session->dd_data;
- tcp_sw_host = iscsi_host_priv(shost);
- tcp_sw_host->session = session;
Sasha Levin
Jan 31, 2023, 10:01:20 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index b5dd1caae5e9..9320a0a92bb2 100644
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -770,7 +770,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -779,6 +779,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
Sasha Levin
Jan 31, 2023, 10:01:29 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 7212e3a13fe6..33fb111e2e19 100644
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -775,7 +775,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -784,6 +784,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
Sasha Levin
Jan 31, 2023, 10:01:36 AM1/31/23
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Mike Christie, Lee Duncan, Ding Hui, Martin K . Petersen, Sasha Levin, cle...@redhat.com, je...@linux.ibm.com, open-...@googlegroups.com, linux...@vger.kernel.org
From: Mike Christie <michael....@oracle.com>
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index e3ca16043f9a..9161fe8fba88 100644
[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
Link: https://lore.kernel.org/r/20230117193937.2124...@oracle.com
Signed-off-by: Mike Christie <michael....@oracle.com>
Reviewed-by: Lee Duncan <ldu...@suse.com>
Acked-by: Ding Hui <din...@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin....@oracle.com>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
drivers/scsi/iscsi_tcp.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -773,7 +773,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
enum iscsi_host_param param, char *buf)
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -782,6 +782,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
{
struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
- struct iscsi_session *session = tcp_sw_host->session;
+ struct iscsi_session *session;
struct iscsi_conn *conn;
struct iscsi_tcp_conn *tcp_conn;
struct iscsi_sw_tcp_conn *tcp_sw_conn;
switch (param) {
case ISCSI_HOST_PARAM_IPADDRESS:
+ session = tcp_sw_host->session;
if (!session)
return -ENOTCONN;
Reply all
Reply to author
Forward
0 new messages