lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 03 May 2013 16:40:56 -0700
From:	"Nicholas A. Bellinger" <nab@...ux-iscsi.org>
To:	Geert Uytterhoeven <geert@...ux-m68k.org>
Cc:	target-devel <target-devel@...r.kernel.org>,
	linux-rdma <linux-rdma@...r.kernel.org>,
	linux-scsi <linux-scsi@...r.kernel.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Roland Dreier <roland@...nel.org>,
	Or Gerlitz <ogerlitz@...lanox.com>,
	Alexander Nezhinsky <alexandern@...lanox.com>
Subject: Re: [RFC-v4 7/9] iscsi-target: Refactor TX queue logic + export
 response PDU creation

On Fri, 2013-05-03 at 23:04 +0200, Geert Uytterhoeven wrote:
> Hi Nicholas,
> 
> On Fri, Apr 12, 2013 at 10:52 PM, Nicholas A. Bellinger
> <nab@...ux-iscsi.org> wrote:
> > --- a/drivers/target/iscsi/iscsi_target.c
> > +++ b/drivers/target/iscsi/iscsi_target.c
> 
> >  static int iscsit_send_reject(
> >         struct iscsi_cmd *cmd,
> >         struct iscsi_conn *conn)
> > @@ -3505,18 +3548,9 @@ static int iscsit_send_reject(
> >         struct iscsi_reject *hdr;
> >         struct kvec *iov;
> >
> > -       hdr                     = (struct iscsi_reject *) cmd->pdu;
> 
> Woops, and now hdr is no longer initialized:
> 
> drivers/target/iscsi/iscsi_target.c: In function ‘iscsit_send_reject’:
> drivers/target/iscsi/iscsi_target.c:3577: warning: ‘hdr’ is used
> uninitialized in this function
> 
> > -       hdr->opcode             = ISCSI_OP_REJECT;
> > -       hdr->flags              |= ISCSI_FLAG_CMD_FINAL;
> > -       hton24(hdr->dlength, ISCSI_HDR_LEN);
> > -       hdr->ffffffff           = cpu_to_be32(0xffffffff);
> > -       cmd->stat_sn            = conn->stat_sn++;
> > -       hdr->statsn             = cpu_to_be32(cmd->stat_sn);
> > -       hdr->exp_cmdsn  = cpu_to_be32(conn->sess->exp_cmd_sn);
> > -       hdr->max_cmdsn  = cpu_to_be32(conn->sess->max_cmd_sn);
> > +       iscsit_build_reject(cmd, conn, (struct iscsi_reject *)&cmd->pdu[0]);
> 
> Hence it will crash later:
> 
>                 iscsit_do_crypto_hash_buf(&conn->conn_tx_hash,
>                                 (unsigned char *)hdr, ISCSI_HDR_LEN,
>                                 0, NULL, (u8 *)header_digest);
> 
> and
> 
>         pr_debug("Built Reject PDU StatSN: 0x%08x, Reason: 0x%02x,"
>                 " CID: %hu\n", ntohl(hdr->statsn), hdr->reason, conn->cid);
> 

Whoops.  Applying the following patch to fix this up now, and including
in the next PULL request.

Thanks alot for catching this!

--nab

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index ffbc6a9..c230eac 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -3557,11 +3557,11 @@ static int iscsit_send_reject(
        struct iscsi_cmd *cmd,
        struct iscsi_conn *conn)
 {
-       u32 iov_count = 0, tx_size = 0;
-       struct iscsi_reject *hdr;
+       struct iscsi_reject *hdr = (struct iscsi_reject *)&cmd->pdu[0];
        struct kvec *iov;
+       u32 iov_count = 0, tx_size;
 
-       iscsit_build_reject(cmd, conn, (struct iscsi_reject *)&cmd->pdu[0]);
+       iscsit_build_reject(cmd, conn, hdr);
 
        iov = &cmd->iov_misc[0];
        iov[iov_count].iov_base = cmd->pdu;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ