scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

mainline inclusion from mainline-v6.2-rc6 commit f484a794 category: bugfix bugzilla: 188443, https://gitee.com/openeuler/kernel/issues/I6I8YD CVE: NA ---------------------------------------- If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail. Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.comSigned-off-by: N Mike Christie <michael.christie@oracle.com> Reviewed-by: N Lee Duncan <lduncan@suse.com> Acked-by: N Ding Hui <dinghui@sangfor.com.cn> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: N Zhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: N Hou Tao <houtao1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
mainline inclusion from mainline-v6.2-rc6 commit f484a794 category: bugfix bugzilla: 188443, https://gitee.com/openeuler/kernel/issues/I6I8YD CVE: NA ---------------------------------------- If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail. Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.comSigned-off-by: N Mike Christie <michael.christie@oracle.com> Reviewed-by: N Lee Duncan <lduncan@suse.com> Acked-by: N Ding Hui <dinghui@sangfor.com.cn> Signed-off-by: N Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: N Zhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: N Hou Tao <houtao1@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
cc6fb9a6 · Mike Christie · Yongqiang Liu · 3835c5e9 · cc6fb9a6
隐藏空白更改
内联并排

Showing with 6 addition and 3 deletion

drivers/scsi/iscsi_tcp.c drivers/scsi/iscsi_tcp.c +6 -3

未找到文件。
--- a/drivers/scsi/iscsi_tcp.c
+++ b/drivers/scsi/iscsi_tcp.c
@@ -783,7 +783,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
 				       enum iscsi_host_param param, char *buf)
 {
 	struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
-	struct iscsi_session *session = tcp_sw_host->session;
+	struct iscsi_session *session;
 	struct iscsi_conn *conn;
 	struct iscsi_tcp_conn *tcp_conn;
 	struct iscsi_sw_tcp_conn *tcp_sw_conn;
@@ -792,6 +792,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,

 	switch (param) {
 	case ISCSI_HOST_PARAM_IPADDRESS:
+		session = tcp_sw_host->session;
 		if (!session)
 			return -ENOTCONN;

@@ -886,11 +887,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
 	if (!cls_session)
 		goto remove_host;
 	session = cls_session->dd_data;
-	tcp_sw_host = iscsi_host_priv(shost);
-	tcp_sw_host->session = session;

 	if (iscsi_tcp_r2tpool_alloc(session))
 		goto remove_session;
+
+	/* We are now fully setup so expose the session to sysfs. */
+	tcp_sw_host = iscsi_host_priv(shost);
+	tcp_sw_host->session = session;
 	return cls_session;

 remove_session: