From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-scsi <linux-scsi@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: linux kernel security issuse scsi_report_lun_scan report
Date: Fri, 20 Nov 2015 10:26:54 -0800 [thread overview]
Message-ID: <1448044014.2168.34.camel@HansenPartnership.com> (raw)
In-Reply-To: <CA+55aFyn44rDnv3E9sSg_YGfeqhExvGz8yeAANU-BVghDHRFdA@mail.gmail.com>
On Fri, 2015-11-20 at 10:14 -0800, Linus Torvalds wrote:
> [ I don't know if the original reporter ended up actually sending this
> to the scsi list like Greg asked, so I'll forward it myself just in
> case ]
No, this is the first time we've seen this.
> There seems to be a very old use-after-free in the scsi code (git
> blame says the lines around this area are from 2005 and 2008) that
> kasan reports.
>
> I've tried to clean up the formatting in the email a bit, but the
> executive summary seems to be that this:
>
> drivers/scsi/scsi_scan.c, around line 1459:
>
> scsi_device_put(sdev);
> if (scsi_device_created(sdev))
>
> is just wrong, because the "scsi_device_put()" may be freeing the
> sdev, so then doing "scsi_device_created(sdev)" after it is bogus.
We can look at it, but the analysis shouldn't be correct. This device
is the one we first used to issue the report lun scan. Either it's an
existing device, or we created it specially for the purpose. If it's an
existing one, that put just releases our reference, but the core still
has one (there'd have to be a very unusual scan destroy race for the
core to be releasing a reference to an object it was in process of
scanning). If we create it, then it releases our reference taken in
line 1331 but it's also not a final put because alloc has to be paired
with remove. However, it should also be harmless to move the put to
after the if() clause ... can we ask the reporter to check if that's the
fix?
James
next prev parent reply other threads:[~2015-11-20 18:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8159e011-35a9-4952-a0ef-be4dfb13983f.chengmiao.cj@alibaba-inc.com>
2015-11-20 18:14 ` linux kernel security issuse scsi_report_lun_scan report Linus Torvalds
2015-11-20 18:26 ` James Bottomley [this message]
2015-11-20 20:33 ` Linus Torvalds
2015-11-20 20:57 ` James Bottomley
2015-11-20 20:54 ` Linus Torvalds
2015-11-20 20:57 ` James Bottomley
2015-11-20 21:24 ` Linus Torvalds
2015-11-21 17:20 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1448044014.2168.34.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-scsi@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.