tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()

|- iscsi_if_destroy_conn |-dev_attr_show
|-iscsi_conn_teardown
|-spin_lock_bh |-iscsi_sw_tcp_conn_get_param

|-kfree(conn->persistent_address) |-iscsi_conn_get_param
|-kfree(conn->local_ipaddr)
==>|-read persistent_address
==>|-read local_ipaddr
|-spin_unlock_bh

When iscsi_conn_teardown() and iscsi_conn_get_param() happen in parallel, a
UAF may be triggered.

Link: https://lore.kernel.org/r/046ec8a0-ce95-d3fc-3235-666a7c65b224@huawei.com
Reported-by: Lu Tixiong <lutianxiong@huawei.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
Signed-off-by: Linfeilong <linfeilong@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Lixiaokeng and committed by
Martin K. Petersen 1b8d0300 9020be11

+4 -2
+4 -2
drivers/scsi/libiscsi.c
··· 3100 3100 { 3101 3101 struct iscsi_conn *conn = cls_conn->dd_data; 3102 3102 struct iscsi_session *session = conn->session; 3103 + char *tmp_persistent_address = conn->persistent_address; 3104 + char *tmp_local_ipaddr = conn->local_ipaddr; 3103 3105 3104 3106 del_timer_sync(&conn->transport_timer); 3105 3107 ··· 3123 3121 spin_lock_bh(&session->frwd_lock); 3124 3122 free_pages((unsigned long) conn->data, 3125 3123 get_order(ISCSI_DEF_MAX_RECV_SEG_LEN)); 3126 - kfree(conn->persistent_address); 3127 - kfree(conn->local_ipaddr); 3128 3124 /* regular RX path uses back_lock */ 3129 3125 spin_lock_bh(&session->back_lock); 3130 3126 kfifo_in(&session->cmdpool.queue, (void*)&conn->login_task, ··· 3134 3134 mutex_unlock(&session->eh_mutex); 3135 3135 3136 3136 iscsi_destroy_conn(cls_conn); 3137 + kfree(tmp_persistent_address); 3138 + kfree(tmp_local_ipaddr); 3137 3139 } 3138 3140 EXPORT_SYMBOL_GPL(iscsi_conn_teardown); 3139 3141