| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Jul 2018 11:50:23 -0500
From: Mike Christie <mchristi@...hat.com>
To: Matthew Wilcox <willy@...radead.org>, linux-kernel@...r.kernel.org
Cc: "Nicholas A. Bellinger" <nab@...ux-iscsi.org>,
Bart Van Assche <bart.vanassche@....com>,
Hannes Reinecke <hare@...e.com>,
Kees Cook <keescook@...omium.org>,
Varun Prakash <varun@...lsio.com>,
Sagi Grimberg <sagi@...mberg.me>,
Philippe Ombredanne <pombredanne@...b.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Kate Stewart <kstewart@...uxfoundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
"David S. Miller" <davem@...emloft.net>,
Denys Vlasenko <dvlasenk@...hat.com>,
linux-scsi@...r.kernel.org, target-devel@...r.kernel.org
Subject: Re: [PATCH 18/26] target/iscsi: Allocate session IDs from an IDA
On 07/26/2018 11:48 AM, Mike Christie wrote:
> On 06/21/2018 04:28 PM, Matthew Wilcox wrote:
>
>> @@ -1163,11 +1157,9 @@ void iscsi_target_login_sess_out(struct iscsi_conn *conn,
>> goto old_sess_out;
>> if (conn->sess->se_sess)
>> transport_free_session(conn->sess->se_sess);
>> - if (conn->sess->session_index != 0) {
>> - spin_lock_bh(&sess_idr_lock);
>> - idr_remove(&sess_idr, conn->sess->session_index);
>> - spin_unlock_bh(&sess_idr_lock);
>
> This code looks buggy. We will probably NULL pointer oops before we hit it.
Sorry did not mean null pointer, but some crash due to accessing memory
that was freed.
>
> It looks like the session_index check was supposed to detect when login
> fails in the middle of doing login, so that code probably wanted to do:
>
> idr_alloc(&sess_idr, NULL, 1, 0, GFP_NOWAIT);
>
> The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in
> iscsi_login_set_conn_values. If the function fails later like when we
> alloc the idr it does kfree(sess) and leaves the conn->sess pointer set.
> iscsi_login_zero_tsih_s1 then returns -Exyz and we then call
> iscsi_target_login_sess_out and access the freed memory above.
>
> So I am not sure what we want to do here for your patch since it is not
> adding any new bugs. Just merge your patch now and I can send a fix for
> the above bug over it?
>
>
>> - }
>> + /* Um, 0 is a valid ID. I suppose we never free it? */
>> + if (conn->sess->session_index != 0)
>> + ida_free(&sess_ida, conn->sess->session_index);
>> kfree(conn->sess->sess_ops);
>> kfree(conn->sess);
>> conn->sess = NULL;
>>
>
Powered by blists - more mailing lists