CVE-2022-50350
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix a race condition between login_work and the login thread
In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are required to complete the login).
The login has been completed but the login_work function will find the LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling itself; at this point, if the initiator drops the connection, the iscsit_conn structure will be freed, login_work will dereference a released socket structure and the kernel crashes.
BUG: kernel NULL pointer dereference, address: 0000000000000230 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] RIP: 0010:_raw_read_lock_bh+0x15/0x30 Call trace: iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] process_one_work+0x1e8/0x3c0
Fix this bug by forcing login_work to stop after the login has been completed and the socket callbacks have been restored.
Add a comment to clearify the return values of iscsi_target_do_login()
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d381a8010a052813a88e20e089be4a58aad8b40a < 1533b8b3058db618409f41554ebe768c2e3acfae | affected |
| Linux | Linux | d381a8010a052813a88e20e089be4a58aad8b40a < 3ecdca49ca49d4770639d81503c873b6d25887c4 | affected |
| Linux | Linux | d381a8010a052813a88e20e089be4a58aad8b40a < fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f | affected |
| Linux | Linux | 3.12 | affected |
| Linux | Linux | 0 < 3.12 | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/1533b8b3058db618409f41554ebe768c2e3acfae
- https://git.kernel.org/stable/c/3ecdca49ca49d4770639d81503c873b6d25887c4
- https://git.kernel.org/stable/c/fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.