| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123025-CVE-2023-54184-e958@gregkh> Date: Tue, 30 Dec 2025 13:09:52 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-54184: scsi: target: iscsit: Free cmds before session free From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsit: Free cmds before session free Commands from recovery entries are freed after session has been closed. That leads to use-after-free at command free or NPE with such call trace: Time2Retain timer expired for SID: 1, cleaning up iSCSI session. BUG: kernel NULL pointer dereference, address: 0000000000000140 RIP: 0010:sbitmap_queue_clear+0x3a/0xa0 Call Trace: target_release_cmd_kref+0xd1/0x1f0 [target_core_mod] transport_generic_free_cmd+0xd1/0x180 [target_core_mod] iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod] iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod] iscsit_close_session+0x13a/0x140 [iscsi_target_mod] iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod] call_timer_fn+0x24/0x140 Move cleanup of recovery enrties to before session freeing. The Linux kernel CVE team has assigned CVE-2023-54184 to this issue. Affected and fixed versions =========================== Fixed in 5.4.244 with commit 89f5055f9b0b57c7e7f02e32df95ef401f809b71 Fixed in 5.10.181 with commit 4621e24c9257c6379343bf0c11b473817cf7edcd Fixed in 5.15.113 with commit 1911cca5916b6e106de7afa3ec0a38447158216c Fixed in 6.1.30 with commit a7a4def6c7046e090bb10c6d550fdeb487db98ba Fixed in 6.3.4 with commit 4ce221d295f53e6c6b835ab33181e735482c9aac Fixed in 6.4 with commit d8990b5a4d065f38f35d69bcd627ec5a7f8330ca Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-54184 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/target/iscsi/iscsi_target.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/89f5055f9b0b57c7e7f02e32df95ef401f809b71 https://git.kernel.org/stable/c/4621e24c9257c6379343bf0c11b473817cf7edcd https://git.kernel.org/stable/c/1911cca5916b6e106de7afa3ec0a38447158216c https://git.kernel.org/stable/c/a7a4def6c7046e090bb10c6d550fdeb487db98ba https://git.kernel.org/stable/c/4ce221d295f53e6c6b835ab33181e735482c9aac https://git.kernel.org/stable/c/d8990b5a4d065f38f35d69bcd627ec5a7f8330ca
Powered by blists - more mailing lists