On Mon, 11 Sep 2023 10:33:08 +0800, linan666@xxxxxxxxxxxxxxx wrote:
> If a socket is processing ioctl 'NBD_SET_SOCK', config->socks might be
> krealloc in nbd_add_socket(), and a garbage request is received now, a UAF
> may occurs.
>
> T1
> nbd_ioctl
> __nbd_ioctl
> nbd_add_socket
> blk_mq_freeze_queue
> T2
> recv_work
> nbd_read_reply
> sock_xmit
> krealloc config->socks
> def config->socks
>
> [...]
Applied, thanks!
[1/1] nbd: pass nbd_sock to nbd_read_reply() instead of index
commit: 98c598afc22d4e43c2ad91860b65996d0c099a5d
Best regards,
--
Jens Axboe
