linux/include/scsi
Mike Christie 6f1d64b130 scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
Bug report and analysis from Ding Hui.

During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:

[  276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[  276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[  276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G            E      6.1.0-rc8+ #3
[  276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  276.944470] Call Trace:
[  276.944943]  <TASK>
[  276.945397]  dump_stack_lvl+0x34/0x48
[  276.945887]  print_address_description.constprop.0+0x86/0x1e7
[  276.946421]  print_report+0x36/0x4f
[  276.947358]  kasan_report+0xad/0x130
[  276.948234]  kasan_check_range+0x35/0x1c0
[  276.948674]  _raw_spin_lock_bh+0x78/0xe0
[  276.949989]  iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[  276.951765]  show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[  276.952185]  dev_attr_show+0x3f/0x80
[  276.953005]  sysfs_kf_seq_show+0x1fb/0x3e0
[  276.953401]  seq_read_iter+0x402/0x1020
[  276.954260]  vfs_read+0x532/0x7b0
[  276.955113]  ksys_read+0xed/0x1c0
[  276.955952]  do_syscall_64+0x38/0x90
[  276.956347]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.956769] RIP: 0033:0x7f5d3a679222
[  276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[  276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[  276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[  276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[  276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[  276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[  276.960536]  </TASK>
[  276.961357] Allocated by task 2209:
[  276.961756]  kasan_save_stack+0x1e/0x40
[  276.962170]  kasan_set_track+0x21/0x30
[  276.962557]  __kasan_kmalloc+0x7e/0x90
[  276.962923]  __kmalloc+0x5b/0x140
[  276.963308]  iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[  276.963712]  iscsi_session_setup+0xda/0xba0 [libiscsi]
[  276.964078]  iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[  276.964431]  iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[  276.964793]  iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[  276.965153]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.965546]  netlink_unicast+0x4d5/0x7b0
[  276.965905]  netlink_sendmsg+0x78d/0xc30
[  276.966236]  sock_sendmsg+0xe5/0x120
[  276.966576]  ____sys_sendmsg+0x5fe/0x860
[  276.966923]  ___sys_sendmsg+0xe0/0x170
[  276.967300]  __sys_sendmsg+0xc8/0x170
[  276.967666]  do_syscall_64+0x38/0x90
[  276.968028]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  276.968773] Freed by task 2209:
[  276.969111]  kasan_save_stack+0x1e/0x40
[  276.969449]  kasan_set_track+0x21/0x30
[  276.969789]  kasan_save_free_info+0x2a/0x50
[  276.970146]  __kasan_slab_free+0x106/0x190
[  276.970470]  __kmem_cache_free+0x133/0x270
[  276.970816]  device_release+0x98/0x210
[  276.971145]  kobject_cleanup+0x101/0x360
[  276.971462]  iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[  276.971775]  iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[  276.972143]  iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[  276.972485]  iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[  276.972808]  netlink_unicast+0x4d5/0x7b0
[  276.973201]  netlink_sendmsg+0x78d/0xc30
[  276.973544]  sock_sendmsg+0xe5/0x120
[  276.973864]  ____sys_sendmsg+0x5fe/0x860
[  276.974248]  ___sys_sendmsg+0xe0/0x170
[  276.974583]  __sys_sendmsg+0xc8/0x170
[  276.974891]  do_syscall_64+0x38/0x90
[  276.975216]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

We can easily reproduce by two tasks:
1. while :; do iscsiadm -m node --login; iscsiadm -m node --logout; done
2. while :; do cat \
/sys/devices/platform/host*/iscsi_host/host*/ipaddress; done

            iscsid              |        cat
--------------------------------+---------------------------------------
|- iscsi_sw_tcp_session_destroy |
  |- iscsi_session_teardown     |
    |- device_release           |
      |- iscsi_session_release  ||- dev_attr_show
        |- kfree                |  |- show_host_param_
                                |             ISCSI_HOST_PARAM_IPADDRESS
                                |    |- iscsi_sw_tcp_host_get_param
                                |      |- r/w tcp_sw_host->session (UAF)
  |- iscsi_host_remove          |
  |- iscsi_host_free            |

Fix the above bug by splitting the session removal into 2 parts:

 1. removal from iSCSI class which includes sysfs and removal from host
    tracking.

 2. freeing of session.

During iscsi_tcp host and session removal we can remove the session from
sysfs then remove the host from sysfs. At this point we know userspace is
not accessing the kernel via sysfs so we can free the session and host.

Link: https://lore.kernel.org/r/20230117193937.21244-2-michael.christie@oracle.com
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Acked-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2023-01-18 19:14:56 -05:00
..
fc scsi: libfc: Replace one-element arrays with flexible-array members 2022-02-27 21:17:37 -05:00
fc_frame.h scsi: libfc: Move scsi/fc_encode.h to libfc 2020-10-29 21:49:25 -04:00
fcoe_sysfs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 335 2019-06-05 17:37:06 +02:00
iscsi_if.h scsi: iscsi: Add support for asynchronous iSCSI session destruction 2020-03-11 23:07:57 -04:00
iscsi_proto.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
iser.h IB/iser,isert: Create and use new shared header 2015-12-24 00:17:35 -05:00
libfc.h scsi: libfc: Stop using the SCSI pointer 2022-02-22 21:11:05 -05:00
libfcoe.h SCSI misc on 20220524 2022-05-25 19:09:48 -07:00
libiscsi_tcp.h SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
libiscsi.h scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress 2023-01-18 19:14:56 -05:00
libsas.h scsi: libsas: Add sas_task_find_rq() 2022-10-22 03:02:51 +00:00
sas_ata.h scsi: libsas: Do not export sas_ata_wait_after_reset() 2022-11-26 02:26:02 +00:00
sas.h scsi: libsas: Introduce struct smp_rps_resp 2022-06-10 13:08:06 -04:00
scsi_bsg_iscsi.h scsi: Fix spelling mistakes in header files 2021-05-21 17:22:45 -04:00
scsi_cmnd.h scsi: core: Support failing requests while recovering 2022-10-22 03:25:59 +00:00
scsi_common.h scsi: target: core: Add CONTROL field for trace events 2020-10-02 18:36:19 -04:00
scsi_dbg.h scsi: core: Reduce memory required for SCSI logging 2019-08-07 21:47:29 -04:00
scsi_device.h scsi: sd: Use 16-byte SYNCHRONIZE CACHE on ZBC devices 2022-11-26 00:12:31 +00:00
scsi_devinfo.h scsi: core: Add new flag BLIST_IGN_MEDIA_CHANGE 2021-07-21 23:43:48 -04:00
scsi_dh.h scsi: core: Introduce enum scsi_disposition 2021-04-15 22:44:40 -04:00
scsi_driver.h scsi: don't use disk->private_data to find the scsi_driver 2022-03-08 19:40:00 -07:00
scsi_eh.h scsi: core: Remove the cmd field from struct scsi_request 2022-03-01 22:21:49 -05:00
scsi_host.h scsi: core: Change the return type of .eh_timed_out() 2022-10-22 03:25:59 +00:00
scsi_ioctl.h scsi: remove the gendisk argument to scsi_ioctl 2021-11-29 06:41:29 -07:00
scsi_proto.h SCSI misc on 20221213 2022-12-14 08:58:51 -08:00
scsi_status.h scsi: core: Remove useless host error codes 2022-09-06 22:05:59 -04:00
scsi_tcq.h scsi: core: Only return started requests from scsi_host_find_tag() 2020-07-24 22:09:56 -04:00
scsi_transport_fc.h scsi: core: Change the return type of .eh_timed_out() 2022-10-22 03:25:59 +00:00
scsi_transport_iscsi.h scsi: iscsi: Fix multiple iSCSI session unbind events sent to userspace 2022-12-14 02:49:19 +00:00
scsi_transport_sas.h scsi: scsi_transport_sas: Add 22.5 Gbps link rate definitions 2021-10-19 14:07:19 -04:00
scsi_transport_spi.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
scsi_transport_srp.h scsi: core: Change the return type of .eh_timed_out() 2022-10-22 03:25:59 +00:00
scsi_transport.h SCSI misc on 20190709 2019-07-11 15:14:01 -07:00
scsi.h scsi: sd: Convert SCSI errors to PR errors 2022-12-01 03:22:23 +00:00
scsicam.h scsi: simplify scsi_partsize 2020-03-24 07:57:07 -06:00
sg.h scsi: core: Rename status_byte to sg_status_byte 2022-12-01 03:22:23 +00:00
srp.h RDMA/srp: Apply the __packed attribute to members instead of structures 2021-05-28 20:21:20 -03:00
viosrp.h scsi: ibmvscsis: Silence -Warray-bounds warning 2022-02-11 16:42:22 -05:00