lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5B59FB56.9090901@redhat.com>
Date:   Thu, 26 Jul 2018 11:48:22 -0500
From:   Mike Christie <mchristi@...hat.com>
To:     Matthew Wilcox <willy@...radead.org>, linux-kernel@...r.kernel.org
Cc:     "Nicholas A. Bellinger" <nab@...ux-iscsi.org>,
        Bart Van Assche <bart.vanassche@....com>,
        Hannes Reinecke <hare@...e.com>,
        Kees Cook <keescook@...omium.org>,
        Varun Prakash <varun@...lsio.com>,
        Sagi Grimberg <sagi@...mberg.me>,
        Philippe Ombredanne <pombredanne@...b.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kate Stewart <kstewart@...uxfoundation.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        "David S. Miller" <davem@...emloft.net>,
        Denys Vlasenko <dvlasenk@...hat.com>,
        linux-scsi@...r.kernel.org, target-devel@...r.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA

On 06/21/2018 04:28 PM, Matthew Wilcox wrote:

> @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
>  		goto old_sess_out;
>  	if (conn->sess->se_sess)
>  		transport_free_session(conn->sess->se_sess);
> -	if (conn->sess->session_index != 0) {
> -		spin_lock_bh(&sess_idr_lock);
> -		idr_remove(&sess_idr, conn->sess->session_index);
> -		spin_unlock_bh(&sess_idr_lock);

This code looks buggy. We will probably NULL pointer oops before we hit it.

It looks like the session_index check was supposed to detect when login
fails in the middle of doing login, so that code probably wanted to do:

idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT);

The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
iscsi_login_set_conn_values. If the function fails later like when we
alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
iscsi_target_login_sess_out and access the freed memory above.

So I am not sure what we want to do here for your patch since it is not
adding any new bugs. Just merge your patch now and I can send a fix for
the above bug over it?


> -	}
> +	/* Um, 0 is a valid ID.  I suppose we never free it? */
> +	if (conn->sess->session_index != 0)
> +		ida_free(&sess_ida, conn->sess->session_index);
>  	kfree(conn->sess->sess_ops);
>  	kfree(conn->sess);
>  	conn->sess = NULL;
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ