All of
 help / color / mirror / Atom feed
From: "Martin K. Petersen" <>
To: Lv Yunlong <>
	Mike Christie <>
Subject: Re: [PATCH] scsi: be2iscsi: Fix a use after free in beiscsi_if_clr_ip
Date: Tue, 29 Jun 2021 18:02:08 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <> (Lv Yunlong's message of "Mon, 24 May 2021 02:50:39 -0700")


> In the free_cmd error path of callee beiscsi_exec_nemb_cmd(),
> nonemb_cmd->va is freed by dma_free_coherent().  As req =
>, we can see that the freed is still
> dereferenced and used by req->ip_params.ip_record.status.

> My patch uses status to replace req->ip_params.ip_record.status to
> avoid the uaf.

This status is captured prior to executing the command so it doesn't
actually reflect whether the operation was successful (which I believe
was the intent).

Some of the callers of beiscsi_exec_nemb_cmd() pass a response buffer
and a response length as the two last arguments. Since
beiscsi_exec_nemb_cmd() frees the command before returning, passing a
response buffer seems to be the only way to get meaningful data out.

operation returns something useful from the controller. As far as I can
tell not all operations have a response buffer defined.

My recommendation would be to add a response buffer and try to decipher
what comes back from the firmware. Also, beiscsi_if_set_ip() appears to
have the same problem as beiscsi_if_clr_ip().

Martin K. Petersen	Oracle Linux Engineering

  reply	other threads:[~2021-06-29 22:02 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-24  9:50 Lv Yunlong
2021-06-29 22:02 ` Martin K. Petersen [this message]
2021-07-01  1:13   ` michael.christie
  -- strict thread matches above, loose matches on Subject: below --
2021-04-03  6:40 Lv Yunlong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \
    --subject='Re: [PATCH] scsi: be2iscsi: Fix a use after free in beiscsi_if_clr_ip' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.