!72 Fix UAF in STAILQ_FOREACH

From: @Zht-Try Reviewed-by: @swf504, @liuzhiqiang26 Signed-off-by: @liuzhiqiang26
2022-12-12 14:09:59 +00:00 · 2022-12-12 14:09:59 +00:00 · bb99505454
commit bb99505454
parent 1ba77358a9 edf16c2ef4
2 changed files with 57 additions and 1 deletions
--- a/0031-Fix-UAF-in-STAILQ_FOREACH.patch
+++ b/0031-Fix-UAF-in-STAILQ_FOREACH.patch
@ -0,0 +1,52 @@
+From 9c74cca9c8572dabe472d0f2b033bdc84dfb8882 Mon Sep 17 00:00:00 2001
+From: zhanghongtao <zhanghongtao22@huawei.com>
+Date: Tue, 25 Oct 2022 16:24:44 +0800
+Subject: [PATCH] Fix UAF in STAILQ_FOREACH
+
+function spdk_nvme_ctrlr_free_io_qpair will free and memset qpair,
+The loop variable is destroyed in the loop.
+---
+ lib/nvme/nvme_transport.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/nvme/nvme_transport.c b/lib/nvme/nvme_transport.c
+index 3050163..c35f29f 100644
+--- a/lib/nvme/nvme_transport.c
+++ b/lib/nvme/nvme_transport.c
+@@ -494,6 +494,9 @@ nvme_transport_poll_group_process_completions(struct spdk_nvme_transport_poll_gr
+ {
+ 	struct spdk_nvme_qpair *qpair;
+ 	int64_t rc;
+#ifdef SPDK_CONFIG_APP_RW
+	struct spdk_nvme_qpair *tmp_qpair;
+#endif
+ 
+ 	tgroup->in_completion_context = true;
+ 	rc = tgroup->transport->ops.poll_group_process_completions(tgroup, completions_per_qpair,
+@@ -502,7 +505,11 @@ nvme_transport_poll_group_process_completions(struct spdk_nvme_transport_poll_gr
+ 
+ 	if (spdk_unlikely(tgroup->num_qpairs_to_delete > 0)) {
+ 		/* deleted qpairs are more likely to be in the disconnected qpairs list. */
+#ifdef SPDK_CONFIG_APP_RW
+		STAILQ_FOREACH_SAFE(qpair, &tgroup->disconnected_qpairs, poll_group_stailq, tmp_qpair) {
+#else
+ 		STAILQ_FOREACH(qpair, &tgroup->disconnected_qpairs, poll_group_stailq) {
+#endif
+ 			if (spdk_unlikely(qpair->delete_after_completion_context)) {
+ 				spdk_nvme_ctrlr_free_io_qpair(qpair);
+ 				if (--tgroup->num_qpairs_to_delete == 0) {
+@@ -511,7 +518,11 @@ nvme_transport_poll_group_process_completions(struct spdk_nvme_transport_poll_gr
+ 			}
+ 		}
+ 
+#ifdef SPDK_CONFIG_APP_RW
+		STAILQ_FOREACH_SAFE(qpair, &tgroup->connected_qpairs, poll_group_stailq, tmp_qpair) {
+#else
+ 		STAILQ_FOREACH(qpair, &tgroup->connected_qpairs, poll_group_stailq) {
+#endif
+ 			if (spdk_unlikely(qpair->delete_after_completion_context)) {
+ 				spdk_nvme_ctrlr_free_io_qpair(qpair);
+ 				if (--tgroup->num_qpairs_to_delete == 0) {
+-- 
+2.27.0
+
--- a/spdk.spec
+++ b/spdk.spec
@ -4,7 +4,7 @@

 Name: spdk
 Version: 21.01.1
-Release: 8
+Release: 9
 Summary: Set of libraries and utilities for high performance user-mode storage
 License: BSD and MIT
 URL: http://spdk.io
@ -39,6 +39,7 @@ Patch27: 0027-Change-log-level-in-poll-timeout.patch
 Patch28: 0028-configure-add-CONFIG_HAVE_ARC4RANDOM.patch
 Patch29: 0029-Enable-unittest-in-make-check.patch
 Patch30: 0030-nvme_ctrlr_abort_queued_aborts-Segmentation-fault-oc.patch
+Patch31: 0031-Fix-UAF-in-STAILQ_FOREACH.patch

 %define package_version %{version}-%{release}

@ -213,6 +214,9 @@ mv doc/output/html/ %{install_docdir}


 %changelog
+* Mon Dec 12 2022 Hongtao Zhang <zhanghongtao22@huawei.com> - 21.01.1-9
+- Fix UAF in STAILQ_FOREACH
+
 * Wed Dec 7 2022 Hongtao Zhang <zhanghongtao22@huawei.com> - 21.01.1-8
 - Fix Segmentation fault occurs due to recursion