| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3dde608f.568.1947e32f3b0.Coremail.wh1sper@zju.edu.cn> Date: Sun, 19 Jan 2025 18:54:15 +0800 (GMT+08:00) From: 张浩然 <wh1sper@....edu.cn> To: "Mike Christie" <michael.christie@...cle.com> Cc: mst@...hat.com, jasowang@...hat.com, pbonzini@...hat.com, stefanha@...hat.com, eperezma@...hat.com, virtualization@...ts.linux.dev, kvm@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: Re: [PATCH] vhost/scsi: Fix improper cleanup in vhost_scsi_set_endpoint() On 2025-01-18 01:11:01, Mike Christie wrote: > I can't tell if being able to call VHOST_SCSI_SET_ENDPOINT multiple > times without calling VHOST_SCSI_CLEAR_ENDPOINT between calls is an > actual feature that the code was trying to support or that is the > root bug. It's so buggy I feel like it was never meant to be called > like this so we should just add a check at the beginning of the function. Sure, proceed as you prefer (Maintaining a 12-year-old codebase seems quite troublesome). My suggestion would be to increase the constant VHOST_SCSI_ABI_VERSION if there are API changes, so that userspace can recognize the new version through the VHOST_SCSI_GET_ABI_VERSION command of ioctl. > The worry would be that if there are userspace tools doing this > and living with the bugs then the above patch would add a regression. > However, I think that's highly unlikely because of how useless/buggy > it is. Agreed. CVE-2024-49863 has shown that no successful SCSI AN requests have been sent from a guest to a vhost-scsi device for years.
Powered by blists - more mailing lists