| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Jul 2019 17:03:02 -0600
From: Logan Gunthorpe <logang@...tatee.com>
To: linux-kernel@...r.kernel.org, linux-nvme@...ts.infradead.org,
Christoph Hellwig <hch@....de>,
Sagi Grimberg <sagi@...mberg.me>
Cc: Stephen Bates <sbates@...thlin.com>,
Logan Gunthorpe <logang@...tatee.com>
Subject: [PATCH v2 0/2] Fix use-after-free bug when ports are removed
Hey,
This is the second attempt at fixing this.
Per Sagi's feedback on the first attempt, I've found an approach
that disconnects active controllers when the subsys is removed from
the port (Patch 1). Patch 2 fixes a race that still exists in the
loop transport which requires us to flush the nvme_delete_wq before
freeing the port to prevent the use-after-free bug.
Logan
--
NVME target ports can be removed while there are still active
controllers. Largely this is fine, except some admin commands
can access the req->port (for example, id-ctrl uses the port's
inline date size as part of it's response). This was found
while testing with KASAN.
--
Logan Gunthorpe (2):
nvmet: Fix use-after-free bug when a port is removed
nvmet-loop: Flush nvme_delete_wq when removing the port
drivers/nvme/target/configfs.c | 1 +
drivers/nvme/target/core.c | 12 ++++++++++++
drivers/nvme/target/loop.c | 8 ++++++++
drivers/nvme/target/nvmet.h | 3 +++
4 files changed, 24 insertions(+)
--
2.20.1
Powered by blists - more mailing lists