| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <da087e9b-bd07-e5fd-421d-242e6adce22b@suse.de>
Date: Tue, 19 Apr 2022 16:56:53 +0200
From: Hannes Reinecke <hare@...e.de>
To: Wenchao Hao <haowenchao@...wei.com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Cc: Feilong Lin <linfeilong@...wei.com>
Subject: Re: [Question] SCSI_EH: How does EH guarantee there is no UAF of
scsi_cmnd if host reset failed
On 4/19/22 16:28, Wenchao Hao wrote:
> Hi all, I am wondered how does SCSI EH guarantee there is no UAF of scsi_cmnd
> if host reset failed. If host reset failed and eh_cmd_q of shost is not empty,
> these command in eh_cmd_q would be added to done_q in scsi_eh_offline_sdevs()
> and finished by scsi_eh_flush_done_q(). So these scsi_cmnd and it's related
> request would be freed.
>
Yes.
> While since host reset failed, we can not guarantee the LLDDs has cleared all
> references to these commands in eh_cmd_q. Is there any possibility that the
> LLDDs reference to these commands? If this happened, then a using after free
> issue would occur.
>
If host reset has failed there are _no_ assumptions we can make about
commands, and not even about the PCI device itself.
So in effect, once host_reset failed the system is hosed.
We _might_ be able to resurrect the system by doing PCI EEH, but not
many systems nor drivers implement that.
Cheers,
Hannes
Powered by blists - more mailing lists