lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <25fbe7c0-3602-41e8-b216-fec19568830b@flourine.local>
Date: Thu, 27 Feb 2025 17:30:10 +0100
From: Daniel Wagner <dwagner@...e.de>
To: James Smart <james.smart@...adcom.com>, Christoph Hellwig <hch@....de>, 
	Sagi Grimberg <sagi@...mberg.me>, Chaitanya Kulkarni <kch@...dia.com>
Cc: Hannes Reinecke <hare@...e.de>, Keith Busch <kbusch@...nel.org>, 
	linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 00/11] nvmet-fcloop: track resources via reference
 counting

On Wed, Feb 26, 2025 at 07:45:52PM +0100, Daniel Wagner wrote:
> static void nvmet_port_subsys_drop_link(struct config_item *parent,
> 		struct config_item *target)
> {
> 	[...]
> found:
> 	list_del(&p->entry);
> 	nvmet_port_del_ctrls(port, subsys);
> 	nvmet_port_disc_changed(port, subsys);   /* XXX triggers the above UAF */
> 
> 	if (list_empty(&port->subsystems))
> 		nvmet_disable_port(port);
> 	up_write(&nvmet_config_sem);
> 	kfree(p);
> }
> 
> The nvmet_port_disc_changed is a bit useless, because these event will
> never be seen by the host. Anyway, more debugging is necessary.

The problem is there is no ref counting for pe->tgtport. And in
nvmet_port_disc_changed needs to take a ref on hostport. I am doing some
more testing and it looks promising. Hopefully this is one of those
famous lost words.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ