superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/include/scsi
History
Mike Christie 8859687f5b scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress 
[ Upstream commit 6f1d64b130 ]

Bug report and analysis from Ding Hui.

During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:

[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3
[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  276.944470] Call Trace:
[  276.944943]  <TASK>
[  276.945397]  dump_stack_lvl+0x34/0x48
[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
[  276.946421]  print_report+0x36/0x4f
[  276.947358]  kasan_report+0xad/0x130
[  276.948234]  kasan_check_range+0x35/0x1c0
[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[  276.952185]  dev_attr_show+0x3f/0x80
[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
[  276.953401]  seq_read_iter+0x402/0x1020
[  276.954260]  vfs_read+0x532/0x7b0
[  276.955113]  ksys_read+0xed/0x1c0
[  276.955952]  do_syscall_64+0x38/0x90
[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.956769] RIP: 0033:0x7f5d3a679222
[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[  276.960536]  </TASK>
[  276.961357] Allocated by task 2209:
[  276.961756]  kasan_save_stack+0x1e/0x40
[  276.962170]  kasan_set_track+0x21/0x30
[  276.962557]  __kasan_kmalloc+0x7e/0x90
[  276.962923]  __kmalloc+0x5b/0x140
[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.965546]  netlink_unicast+0x4d5/0x7b0
[  276.965905]  netlink_sendmsg+0x78d/0xc30
[  276.966236]  sock_sendmsg+0xe5/0x120
[  276.966576]  ____sys_sendmsg+0x5fe/0x860
[  276.966923]  ___sys_sendmsg+0xe0/0x170
[  276.967300]  __sys_sendmsg+0xc8/0x170
[  276.967666]  do_syscall_64+0x38/0x90
[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.968773] Freed by task 2209:
[  276.969111]  kasan_save_stack+0x1e/0x40
[  276.969449]  kasan_set_track+0x21/0x30
[  276.969789]  kasan_save_free_info+0x2a/0x50
[  276.970146]  __kasan_slab_free+0x106/0x190
[  276.970470]  __kmem_cache_free+0x133/0x270
[  276.970816]  device_release+0x98/0x210
[  276.971145]  kobject_cleanup+0x101/0x360
[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.972808]  netlink_unicast+0x4d5/0x7b0
[  276.973201]  netlink_sendmsg+0x78d/0xc30
[  276.973544]  sock_sendmsg+0xe5/0x120
[  276.973864]  ____sys_sendmsg+0x5fe/0x860
[  276.974248]  ___sys_sendmsg+0xe0/0x170
[  276.974583]  __sys_sendmsg+0xc8/0x170
[  276.974891]  do_syscall_64+0x38/0x90
[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can easily reproduce by two tasks:
1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
2. while :; do cat \
/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done

            iscsid              |        cat
--------------------------------+---------------------------------------
|- iscsi_sw_tcp_session_destroy |
  |- iscsi_session_teardown     |
    |- device_release           |
      |- iscsi_session_release  ||- dev_attr_show
        |- kfree                |  |- show_host_param_
                                |             ISCSI_HOST_PARAM_IPADDRESS
                                |    |- iscsi_sw_tcp_host_get_param
                                |      |- r/w tcp_sw_host->session (UAF)
  |- iscsi_host_remove          |
  |- iscsi_host_free            |

Fix the above bug by splitting the session removal into 2 parts:

 1. removal from iSCSI class which includes sysfs and removal from host
    tracking.

 2. freeing of session.

During iscsi_tcp host and session removal we can remove the session from
sysfs then remove the host from sysfs. At this point we know userspace is
not accessing the kernel via sysfs so we can free the session and host.

Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Acked-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-02-09 11:28:12 +01:00
..
fc scsi: libfc: Replace one-element arrays with flexible-array members 2022-02-27 21:17:37 -05:00
fc_frame.h scsi: libfc: Move scsi/fc_encode.h to libfc 2020-10-29 21:49:25 -04:00
fcoe_sysfs.h
iscsi_if.h scsi: iscsi: Add support for asynchronous iSCSI session destruction 2020-03-11 23:07:57 -04:00
iscsi_proto.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
iser.h
libfc.h scsi: libfc: Stop using the SCSI pointer 2022-02-22 21:11:05 -05:00
libfcoe.h SCSI misc on 20220524 2022-05-25 19:09:48 -07:00
libiscsi.h scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress 2023-02-09 11:28:12 +01:00
libiscsi_tcp.h
libsas.h scsi: libsas: Introduce struct smp_rps_resp 2022-06-10 13:08:06 -04:00
sas.h scsi: libsas: Introduce struct smp_rps_resp 2022-06-10 13:08:06 -04:00
sas_ata.h scsi: libsas: Refactor sas_ata_hard_reset() 2022-05-19 20:16:25 -04:00
scsi.h scsi: core: Introduce enums for the SAM and host status codes 2021-06-02 23:09:39 -04:00
scsi_bsg_iscsi.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
scsi_cmnd.h scsi: stex: Properly zero out the passthrough command structure 2022-09-25 14:15:03 -04:00
scsi_common.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
scsi_dbg.h scsi: core: Reduce memory required for SCSI logging 2019-08-07 21:47:29 -04:00
scsi_device.h SCSI misc on 20221007 2022-10-07 12:33:18 -07:00
scsi_devinfo.h scsi: core: Add new flag BLIST_IGN_MEDIA_CHANGE 2021-07-21 23:43:48 -04:00
scsi_dh.h scsi: core: Introduce enum scsi_disposition 2021-04-15 22:44:40 -04:00
scsi_driver.h scsi: don't use disk->private_data to find the scsi_driver 2022-03-08 19:40:00 -07:00
scsi_eh.h scsi: core: Remove the cmd field from struct scsi_request 2022-03-01 22:21:49 -05:00
scsi_host.h for-6.1/block-2022-10-03 2022-10-07 09:19:14 -07:00
scsi_ioctl.h scsi: remove the gendisk argument to scsi_ioctl 2021-11-29 06:41:29 -07:00
scsi_proto.h scsi: sd: sd_zbc: Hide gap zones 2022-04-25 23:23:05 -04:00
scsi_status.h scsi: core: Remove useless host error codes 2022-09-06 22:05:59 -04:00
scsi_tcq.h scsi: core: Only return started requests from scsi_host_find_tag() 2020-07-24 22:09:56 -04:00
scsi_transport.h
scsi_transport_fc.h scsi: libfc: Add FDMI-2 attributes 2021-06-10 00:03:56 -04:00
scsi_transport_iscsi.h scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace 2023-02-01 08:34:27 +01:00
scsi_transport_sas.h scsi: scsi_transport_sas: Add 22.5 Gbps link rate definitions 2021-10-19 14:07:19 -04:00
scsi_transport_spi.h
scsi_transport_srp.h
scsicam.h scsi: simplify scsi_partsize 2020-03-24 07:57:07 -06:00
sg.h scsi/sg: move sg-big-buff sysctl to scsi/sg.c 2022-01-22 08:33:35 +02:00
srp.h RDMA/srp: Apply the __packed attribute to members instead of structures 2021-05-28 20:21:20 -03:00
viosrp.h scsi: ibmvscsis: Silence -Warray-bounds warning 2022-02-11 16:42:22 -05:00