From: sashiko-bot@kernel.org
To: "Bryam Vargas" <hexlabsecurity@proton.me>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v3] scsi: target: fix iSCSI ISID use-after-free in REGISTER AND MOVE
Date: Wed, 10 Jun 2026 04:37:20 +0000 [thread overview]
Message-ID: <20260610043721.139661F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610042245.35473-1-hexlabsecurity@proton.me>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing length validation on the TransportID payload leads to out-of-bounds reads and potential kernel oops via `strstr()` and `get_unaligned_be64()`.
--
commit f95f1e5f1cdc7f67d3f1cb876ff0263d03032d49
Author: Bryam Vargas <hexlabsecurity@proton.me>
scsi: target: fix iSCSI ISID use-after-free in REGISTER AND MOVE
This commit fixes a use-after-free read of the iscsi isid pointer in
core_scsi3_emulate_pro_register_and_move(). The early unmap of the buffer
is dropped, keeping the parameter list mapped until the pointer is no
longer needed.
> diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
> index 11790f2c5d80f..7c5bb7d679477 100644
> --- a/drivers/target/target_core_pr.c
> +++ b/drivers/target/target_core_pr.c
> @@ -3293,9 +3293,6 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
> goto out;
> }
>
> - transport_kunmap_data_sg(cmd);
> - buf = NULL;
> -
[Severity: Critical]
This is a pre-existing issue, but does this code properly validate the
payload length before parsing the buffer?
Earlier in core_scsi3_emulate_pro_register_and_move(), proto_ident is read
from buf[24] without verifying that tid_len > 0. If a command is sent with
tid_len = 0 and data_length = 24, would reading buf[24] result in an
out-of-bounds read?
Furthermore, iscsi_parse_pr_out_transport_id() calls:
p = strstr(&buf[4], ",i,0x");
If a payload length is exactly aligned to a multiple of the page size with no
null terminator, could strstr() scan past the vmap buffer and hit a guard
page, causing a kernel oops?
Finally, if the parsed isid string is found but terminates quickly near a page
boundary (for example, ",i,0x1\0"), __core_scsi3_do_alloc_registration()
executes:
pr_reg->pr_reg_bin_isid = get_unaligned_be64(isid);
Since get_unaligned_be64() unconditionally reads 8 bytes from the potentially
short ascii string, could this read cross into a guard page and cause an oops?
> pr_debug("SPC-3 PR [%s] Extracted initiator %s identifier: %s"
> " %s\n", dest_tf_ops->fabric_name, (iport_ptr != NULL) ?
> "port" : "device", initiator_str, (iport_ptr != NULL) ?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260610042245.35473-1-hexlabsecurity@proton.me?part=1
next prev parent reply other threads:[~2026-06-10 4:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 4:22 [PATCH v3] scsi: target: fix iSCSI ISID use-after-free in REGISTER AND MOVE Bryam Vargas
2026-06-10 4:37 ` sashiko-bot [this message]
2026-06-10 8:40 ` John Garry
2026-06-10 11:00 ` David Disseldorp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610043721.139661F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=hexlabsecurity@proton.me \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox