lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAABZP2ywCbu4Po63BDBE7U1WEqx4DF7F2CZjTqFp0dSDw-uziQ@mail.gmail.com>
Date:   Sat, 28 Jan 2023 09:37:47 +0800
From:   Zhouyi Zhou <zhouzhouyi@...il.com>
To:     eric@...ante.org, jejb@...ux.ibm.com,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org,
        "Joel Fernandes, Google" <joel@...lfernandes.org>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        Frederic Weisbecker <frederic@...nel.org>,
        Will Deacon <will@...nel.org>, Marc Zyngier <maz@...nel.org>,
        rcu <rcu@...r.kernel.org>, stable@...r.kernel.org,
        Ingo Molnar <mingo@...nel.org>,
        "Rafael J. Wysocki" <rafael@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>, lance@...osl.org
Subject: Chasing a 'use after free' bug of SCSI subsystem for linux-stable 5.15.y

Dear SCSI developers:
During the rcutorture test performed on linux-stable 5.15.y in PPC VM
of Open Source Lab of Oregon State University, A SCSI related bug is
discovered [1]:
[    5.178733][    C1] BUG: Kernel NULL pointer dereference on read at
0x00000008
...
[    5.231013][    C1] [c00000001ff9fca0] [c0000000009ffbc8]
scsi_end_request+0xd8/0x1f0 (unreliable)^M
[    5.234961][    C1] [c00000001ff9fcf0] [c000000000a00e68]
scsi_io_completion+0x88/0x700^M
[    5.237863][    C1] [c00000001ff9fda0] [c0000000009f5028]
scsi_finish_command+0xe8/0x150^M
[    5.240089][    C1] [c00000001ff9fdf0] [c000000000a00c70]
scsi_complete+0x90/0x140^M
[    5.242481][    C1] [c00000001ff9fe20] [c0000000007e5170]
blk_complete_reqs+0x80/0xa0^M
[    5.245187][    C1] [c00000001ff9fe50] [c000000000f0b5d0]
__do_softirq+0x1e0/0x4e0^M
[    5.248479][    C1] [c00000001ff9ff90] [c0000000000170e8]
do_softirq_own_stack+0x48/0x60^M
[    5.250919][    C1] [c00000000a5e7c40] [c00000000a5e7c80]
0xc00000000a5e7c80^M
[    5.253792][    C1] [c00000000a5e7c70] [c0000000001534c0]
do_softirq+0xb0/0xc0^M
[    5.256824][    C1] [c00000000a5e7ca0] [c0000000001535ac]
__local_bh_enable_ip+0xdc/0x110^M
[    5.259414][    C1] [c00000000a5e7cc0] [c0000000001d75e8]
irq_forced_thread_fn+0xc8/0xf0^M
[    5.261921][    C1] [c00000000a5e7d00] [c0000000001d7ae4]
irq_thread+0x1b4/0x2a0^M
[    5.265298][    C1] [c00000000a5e7da0] [c00000000017d8c8]
kthread+0x1a8/0x1d0^M
[    5.269184][    C1] [c00000000a5e7e10] [c00000000000cee4]

By adding printk statement in the SCSI subsystem and perform rounds of
qemu bootup, I found the bug is caused by following 'use after free'
scenery:

A)
                           B)
__scsi_scan_target
  scsi_probe_and_add_lun
     scsi_probe_lun
       scsi_execute_req
         __scsi_execute
            blk_execute_rq              ---> req --->
time out
   __scsi_remove_device
       blk_cleanup_queue
           percpu_ref_exit(&q->q_usage_counter)
     scsi_end_request

                                   percpu_ref_put(&q->q_usage_counter)

                                      USE-AFTER-FREE
Reported-by: Zhouyi Zhou <zhouzhouyi@...il.com>

Thanks for your intention
Zhouyi
[1] https://lore.kernel.org/lkml/CAABZP2wa_ZTHUr9tH_6OSpr+TgNACo4kMu3eawsGV5qkCDoAKg@mail.gmail.com/T/

Powered by blists - more mailing lists