projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6f1d64b)
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
authorMike Christie <michael.christie@oracle.com>
Tue, 17 Jan 2023 19:39:37 +0000 (13:39 -0600)
committerMartin K. Petersen <martin.petersen@oracle.com>
Thu, 19 Jan 2023 00:14:56 +0000 (19:14 -0500)
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.

Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.

Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Acked-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/iscsi_tcp.c patch | blob | history

diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
index 5c679a8..0454d94 100644 (file)
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -849,7 +849,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
                                       enum iscsi_host_param param, char *buf)
 {
        struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
-       struct iscsi_session *session = tcp_sw_host->session;
+       struct iscsi_session *session;
        struct iscsi_conn *conn;
        struct iscsi_tcp_conn *tcp_conn;
        struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -859,6 +859,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 
        switch (param) {
        case ISCSI_HOST_PARAM_IPADDRESS:
+               session = tcp_sw_host->session;
                if (!session)
                        return -ENOTCONN;
 
@@ -959,11 +960,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
        if (!cls_session)
                goto remove_host;
        session = cls_session->dd_data;
-       tcp_sw_host = iscsi_host_priv(shost);
-       tcp_sw_host->session = session;
 
        if (iscsi_tcp_r2tpool_alloc(session))
                goto remove_session;
+
+       /* We are now fully setup so expose the session to sysfs. */
+       tcp_sw_host = iscsi_host_priv(shost);
+       tcp_sw_host->session = session;
        return cls_session;
 
 remove_session:
Domain: System / Kernel;