From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D28742F39 for ; Tue, 7 Feb 2023 13:11:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DB70C433D2; Tue, 7 Feb 2023 13:11:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1675775483; bh=4x/m1zxykvHI4mrl4MNWLwfiOjfzqsRLll+mJsfoGnw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PiqGlmxOcMS+GG+WnQwNIlG7nW1gkglOpIg0NDKb/fRU2OysjiSO1UBFl6fnn9472 PlrALce/zkzuHke/7vTaArDIaKs07CCxxO4OQORJjng/88CvIrIdqDiLE3Klrtp+RF h4ezeFvapqeb/HnQJUPDw7nmcmKEvBzNxezTMO60= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Mike Christie , Lee Duncan , Ding Hui , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.15 056/120] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Date: Tue, 7 Feb 2023 13:57:07 +0100 Message-Id: <20230207125621.147378833@linuxfoundation.org> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230207125618.699726054@linuxfoundation.org> References: <20230207125618.699726054@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Mike Christie [ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ] If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail. Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com Signed-off-by: Mike Christie Reviewed-by: Lee Duncan Acked-by: Ding Hui Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/iscsi_tcp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 5c19e75c0e2f..594336004190 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -848,7 +848,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, enum iscsi_host_param param, char *buf) { struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost); - struct iscsi_session *session = tcp_sw_host->session; + struct iscsi_session *session; struct iscsi_conn *conn; struct iscsi_tcp_conn *tcp_conn; struct iscsi_sw_tcp_conn *tcp_sw_conn; @@ -858,6 +858,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, switch (param) { case ISCSI_HOST_PARAM_IPADDRESS: + session = tcp_sw_host->session; if (!session) return -ENOTCONN; @@ -958,11 +959,13 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max, if (!cls_session) goto remove_host; session = cls_session->dd_data; - tcp_sw_host = iscsi_host_priv(shost); - tcp_sw_host->session = session; if (iscsi_tcp_r2tpool_alloc(session)) goto remove_session; + + /* We are now fully setup so expose the session to sysfs. */ + tcp_sw_host = iscsi_host_priv(shost); + tcp_sw_host->session = session; return cls_session; remove_session: -- 2.39.0