From: "Martin K. Petersen" <martin.petersen@oracle.com>
To: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Cc: subbu.seetharaman@broadcom.com, ketan.mukadam@broadcom.com,
jitendra.bhivare@broadcom.com, jejb@linux.ibm.com,
martin.petersen@oracle.com, linux-scsi@vger.kernel.org,
linux-kernel@vger.kernel.org,
Mike Christie <michael.christie@oracle.com>
Subject: Re: [PATCH] scsi: be2iscsi: Fix a use after free in beiscsi_if_clr_ip
Date: Tue, 29 Jun 2021 18:02:08 -0400 [thread overview]
Message-ID: <yq11r8kibzu.fsf@ca-mkp.ca.oracle.com> (raw)
In-Reply-To: <20210524095039.9033-1-lyl2019@mail.ustc.edu.cn> (Lv Yunlong's message of "Mon, 24 May 2021 02:50:39 -0700")
Lv,
> In the free_cmd error path of callee beiscsi_exec_nemb_cmd(),
> nonemb_cmd->va is freed by dma_free_coherent(). As req =
> nonemb_cmd.va, we can see that the freed nonemb_cmd.va is still
> dereferenced and used by req->ip_params.ip_record.status.
> My patch uses status to replace req->ip_params.ip_record.status to
> avoid the uaf.
This status is captured prior to executing the command so it doesn't
actually reflect whether the operation was successful (which I believe
was the intent).
Some of the callers of beiscsi_exec_nemb_cmd() pass a response buffer
and a response length as the two last arguments. Since
beiscsi_exec_nemb_cmd() frees the command before returning, passing a
response buffer seems to be the only way to get meaningful data out.
I am not sure whether the OPCODE_COMMON_ISCSI_NTWK_MODIFY_IP_ADDR
operation returns something useful from the controller. As far as I can
tell not all operations have a response buffer defined.
My recommendation would be to add a response buffer and try to decipher
what comes back from the firmware. Also, beiscsi_if_set_ip() appears to
have the same problem as beiscsi_if_clr_ip().
--
Martin K. Petersen Oracle Linux Engineering
next prev parent reply other threads:[~2021-06-29 22:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 9:50 [PATCH] scsi: be2iscsi: Fix a use after free in beiscsi_if_clr_ip Lv Yunlong
2021-06-29 22:02 ` Martin K. Petersen [this message]
2021-07-01 1:13 ` michael.christie
-- strict thread matches above, loose matches on Subject: below --
2021-04-03 6:40 Lv Yunlong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=yq11r8kibzu.fsf@ca-mkp.ca.oracle.com \
--to=martin.petersen@oracle.com \
--cc=jejb@linux.ibm.com \
--cc=jitendra.bhivare@broadcom.com \
--cc=ketan.mukadam@broadcom.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=lyl2019@mail.ustc.edu.cn \
--cc=michael.christie@oracle.com \
--cc=subbu.seetharaman@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.