linux/include/scsi
Mike Christie 17b738590b scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
[ Upstream commit 6f1d64b130 ]

Bug report and analysis from Ding Hui.

During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:

[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3
[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  276.944470] Call Trace:
[  276.944943]  <TASK>
[  276.945397]  dump_stack_lvl+0x34/0x48
[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
[  276.946421]  print_report+0x36/0x4f
[  276.947358]  kasan_report+0xad/0x130
[  276.948234]  kasan_check_range+0x35/0x1c0
[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[  276.952185]  dev_attr_show+0x3f/0x80
[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
[  276.953401]  seq_read_iter+0x402/0x1020
[  276.954260]  vfs_read+0x532/0x7b0
[  276.955113]  ksys_read+0xed/0x1c0
[  276.955952]  do_syscall_64+0x38/0x90
[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.956769] RIP: 0033:0x7f5d3a679222
[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[  276.960536]  </TASK>
[  276.961357] Allocated by task 2209:
[  276.961756]  kasan_save_stack+0x1e/0x40
[  276.962170]  kasan_set_track+0x21/0x30
[  276.962557]  __kasan_kmalloc+0x7e/0x90
[  276.962923]  __kmalloc+0x5b/0x140
[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.965546]  netlink_unicast+0x4d5/0x7b0
[  276.965905]  netlink_sendmsg+0x78d/0xc30
[  276.966236]  sock_sendmsg+0xe5/0x120
[  276.966576]  ____sys_sendmsg+0x5fe/0x860
[  276.966923]  ___sys_sendmsg+0xe0/0x170
[  276.967300]  __sys_sendmsg+0xc8/0x170
[  276.967666]  do_syscall_64+0x38/0x90
[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.968773] Freed by task 2209:
[  276.969111]  kasan_save_stack+0x1e/0x40
[  276.969449]  kasan_set_track+0x21/0x30
[  276.969789]  kasan_save_free_info+0x2a/0x50
[  276.970146]  __kasan_slab_free+0x106/0x190
[  276.970470]  __kmem_cache_free+0x133/0x270
[  276.970816]  device_release+0x98/0x210
[  276.971145]  kobject_cleanup+0x101/0x360
[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.972808]  netlink_unicast+0x4d5/0x7b0
[  276.973201]  netlink_sendmsg+0x78d/0xc30
[  276.973544]  sock_sendmsg+0xe5/0x120
[  276.973864]  ____sys_sendmsg+0x5fe/0x860
[  276.974248]  ___sys_sendmsg+0xe0/0x170
[  276.974583]  __sys_sendmsg+0xc8/0x170
[  276.974891]  do_syscall_64+0x38/0x90
[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can easily reproduce by two tasks:
1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
2. while :; do cat \
/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done

            iscsid              |        cat
--------------------------------+---------------------------------------
|- iscsi_sw_tcp_session_destroy |
  |- iscsi_session_teardown     |
    |- device_release           |
      |- iscsi_session_release  ||- dev_attr_show
        |- kfree                |  |- show_host_param_
                                |             ISCSI_HOST_PARAM_IPADDRESS
                                |    |- iscsi_sw_tcp_host_get_param
                                |      |- r/w tcp_sw_host->session (UAF)
  |- iscsi_host_remove          |
  |- iscsi_host_free            |

Fix the above bug by splitting the session removal into 2 parts:

 1. removal from iSCSI class which includes sysfs and removal from host
    tracking.

 2. freeing of session.

During iscsi_tcp host and session removal we can remove the session from
sysfs then remove the host from sysfs. At this point we know userspace is
not accessing the kernel via sysfs so we can free the session and host.

Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Acked-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-09 11:26:39 +01:00
..
fc scsi: fc: FDMI enhancement 2021-06-10 00:03:56 -04:00
fc_frame.h scsi: libfc: Move scsi/fc_encode.h to libfc 2020-10-29 21:49:25 -04:00
fcoe_sysfs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 335 2019-06-05 17:37:06 +02:00
iscsi_if.h scsi: iscsi: Add support for asynchronous iSCSI session destruction 2020-03-11 23:07:57 -04:00
iscsi_proto.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
iser.h
libfc.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
libfcoe.h scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac() 2022-06-09 10:23:07 +02:00
libiscsi_tcp.h SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
libiscsi.h scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress 2023-02-09 11:26:39 +01:00
libsas.h scsi: libsas: Introduce more SAM status code aliases in enum exec_status 2021-06-02 16:10:46 -04:00
sas_ata.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
sas.h scsi: libsas: Replace zero-length array with flexible-array 2020-05-11 22:26:32 -04:00
scsi_bsg_iscsi.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
scsi_cmnd.h scsi: stex: Properly zero out the passthrough command structure 2022-10-15 07:59:01 +02:00
scsi_common.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
scsi_dbg.h scsi: core: Reduce memory required for SCSI logging 2019-08-07 21:47:29 -04:00
scsi_device.h scsi: core: sd: Add silence_suspend flag to suppress some PM messages 2022-04-08 14:22:54 +02:00
scsi_devinfo.h scsi: core: Add new flag BLIST_IGN_MEDIA_CHANGE 2021-07-21 23:43:48 -04:00
scsi_dh.h scsi: core: Introduce enum scsi_disposition 2021-04-15 22:44:40 -04:00
scsi_driver.h scsi: return blk_status_t from scsi_init_io and ->init_command 2018-11-09 19:17:14 -07:00
scsi_eh.h scsi: core: Introduce enum scsi_disposition 2021-04-15 22:44:40 -04:00
scsi_host.h scsi: core: Avoid leaving shost->last_reset with stale value if EH does not run 2021-11-18 19:15:51 +01:00
scsi_ioctl.h scsi: scsi_ioctl: Unexport sg_scsi_ioctl() 2021-07-28 22:24:28 -04:00
scsi_proto.h scsi: core: Introduce enums for the SAM and host status codes 2021-06-02 23:09:39 -04:00
scsi_request.h scsi: scsi_ioctl: Remove scsi_req_init() 2021-07-28 22:24:26 -04:00
scsi_status.h scsi: core: Introduce enums for the SAM and host status codes 2021-06-02 23:09:39 -04:00
scsi_tcq.h scsi: core: Only return started requests from scsi_host_find_tag() 2020-07-24 22:09:56 -04:00
scsi_transport_fc.h scsi: libfc: Add FDMI-2 attributes 2021-06-10 00:03:56 -04:00
scsi_transport_iscsi.h scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace 2023-02-01 08:27:16 +01:00
scsi_transport_sas.h scsi: libsas: direct call probe and destruct 2018-01-10 23:24:02 -05:00
scsi_transport_spi.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
scsi_transport_srp.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
scsi_transport.h SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
scsi.h scsi: core: Introduce enums for the SAM and host status codes 2021-06-02 23:09:39 -04:00
scsicam.h scsi: simplify scsi_partsize 2020-03-24 07:57:07 -06:00
sg.h scsi: core: Drop obsolete Linux-specific SCSI status codes 2021-05-31 23:59:18 -04:00
srp.h RDMA/srp: Apply the __packed attribute to members instead of structures 2021-05-28 20:21:20 -03:00
viosrp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 2019-05-30 11:26:37 -07:00