scsi: target: iscsi: Fix a race condition between login_work and the login thread
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix a race condition between login_work and the login thread
In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are required to complete the login).
The login has been completed but the login_work function will find the LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling itself; at this point, if the initiator drops the connection, the iscsit_conn structure will be freed, login_work will dereference a released socket structure and the kernel crashes.
BUG: kernel NULL pointer dereference, address: 0000000000000230 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] RIP: 0010:_raw_read_lock_bh+0x15/0x30 Call trace: iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] process_one_work+0x1e8/0x3c0
Fix this bug by forcing login_work to stop after the login has been completed and the socket callbacks have been restored.
Add a comment to clearify the return values of iscsi_target_do_login()
Affected products
10- osv-coords8 versionspkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_74&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
< 4.12.14-122.280.1+ 7 more
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 4.12.14-122.280.1
- (no CPE)range: < 1-8.5.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.