lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 24 Sep 2022 10:46:58 +0800 (GMT+08:00)
From:   duoming@....edu.cn
To:     "Jason Yan" <yanaijie@...wei.com>
Cc:     linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org,
        jejb@...ux.ibm.com, martin.petersen@...cle.com, kuba@...nel.org,
        john.garry@...wei.com, gregkh@...uxfoundation.org,
        davem@...emloft.net
Subject: Re: [PATCH] scsi: libsas: fix use-after-free bug in
 smp_execute_task_sg

Hello,

On Thu, 22 Sep 2022 22:06:30 +0800 Jason Yan wrote:

> On 2022/9/20 22:42, Duoming Zhou wrote:
> > When executing SMP task failed, the smp_execute_task_sg()
> > calls del_timer() to delete the "slow_task->timer". However,
> > if the timer handler sas_task_internal_timedout() is running,
> > the del_timer() in smp_execute_task_sg() will not stop it
> > and the UAF bug will happen. The process is shown below:
> > 
> >        (thread 1)               |        (thread 2)
> > smp_execute_task_sg()          | sas_task_internal_timedout()
> >   ...                           |
> >   del_timer()                   |
> >   ...                           |  ...
> >   sas_free_task(task)           |
> >    kfree(task->slow_task) //FREE|
> >                                 |  task->slow_task->... //USE
> > 
> > Fix by calling del_timer_sync() in smp_execute_task_sg(),
> > which makes sure the timer handler have finished before
> > the "task->slow_task" is deallocated.
> > 
> > Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
> > Signed-off-by: Duoming Zhou <duoming@....edu.cn>
> > ---
> >   drivers/scsi/libsas/sas_expander.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
> > index fa2209080cc..5ce25183010 100644
> > --- a/drivers/scsi/libsas/sas_expander.c
> > +++ b/drivers/scsi/libsas/sas_expander.c
> > @@ -67,7 +67,7 @@ static int smp_execute_task_sg(struct domain_device *dev,
> >   		res = i->dft->lldd_execute_task(task, GFP_KERNEL);
> >   
> >   		if (res) {
> > -			del_timer(&task->slow_task->timer);
> > +			del_timer_sync(&task->slow_task->timer);
> >   			pr_notice("executing SMP task failed:%d\n", res);
> >   			break;
> >   		}
> > 
> 
> The timer should be triggered 10 seconds later. I am curious why we stay
> this long before del_timer().

I think the hacker may create a large number of hardware interrupts to
increase the delayed time.

> However this change looks good to me.
> Reviewed-by: Jason Yan <yanaijie@...wei.com>

Thank you!

Best regards,
Duoming Zhou

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ