libiscsi
libiscsi copied to clipboard
Published
20 hours ago •
sahlberg
sahlberg
SEGFAULT In AbortTaskSimpleAsync for iSER
Discovered this while running iSCSI.iSCSITMF AbortTaskSimpleAsync test case. For Task Management command iser_pdu->iscsi_pdu.scsi_cbdata is not set. When test case tries to send Task Management command via common API iser_send_command() - it calls overflow_data_size which tries to dereference scsi_cbdata leading to SEGFAULT.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 overflow_data_size (iser_pdu=0x8ec030) at iser.c:627
627 data_size = iser_pdu->iscsi_pdu.scsi_cbdata.task->expxferlen;
[Current thread is 1 (Thread 0x7f741b975d40 (LWP 2053))]
Missing separate debuginfos, use: dnf debuginfo-install glibc-2.27-15.fc28.x86_64 libgcc-8.1.1-1.fc28.x86_64
(gdb) bt
#0 overflow_data_size (iser_pdu=0x8ec030) at iser.c:627
#1 iser_send_command (iser_pdu=0x8ec030, iser_conn=0x8c4680) at iser.c:652
#2 iscsi_iser_queue_pdu (iscsi=0x8ea4c0, pdu=0x8ec030) at iser.c:717
#3 0x00007f741b13a96a in iscsi_task_mgmt_async (iscsi=0x8ea4c0, lun=1, function=function@entry=ISCSI_TM_ABORT_TASK, ritt=2105007283, rcmdsn=642795792, cb=cb@entry=0x44c300 <test_async_abort_cb>,
private_data=0x7fffb7bdf270) at task_mgmt.c:83
#4 0x000000000044c74d in test_async_abort_simple () at test_async_abort_simple.c:154
#5 0x00007f741b34f48b in run_single_test (pTest=pTest@entry=0x8d0ae0, pRunSummary=0x7f741b5590a0 <f_run_summary>) at TestRun.c:991
#6 0x00007f741b34f721 in run_single_suite (pSuite=pSuite@entry=0x8ecc40, pRunSummary=0x7f741b5590a0 <f_run_summary>) at TestRun.c:876
#7 0x00007f741b34fb36 in CU_run_all_tests () at TestRun.c:367
#8 0x00007f741b352d31 in basic_run_all_tests (pRegistry=0x0) at Basic.c:195
#9 CU_basic_run_tests () at Basic.c:87
#10 0x0000000000403f43 in main (argc=<optimized out>, argv=<optimized out>) at iscsi-test-cu.c:1493
(gdb) print iser_pdu->iscsi_pdu.scsi_cbdata.task->expxferlen
Cannot access memory at address 0xc
(gdb) print iser_pdu->iscsi_pdu.scsi_cbdata.task
$1 = (struct scsi_task *) 0x0
(gdb) print iser_pdu->iscsi_pdu.scsi_cbdata
$2 = {callback = 0x0, private_data = 0x0, task = 0x0}
(gdb) print iser_pdu->iscsi_pdu
$3 = {next = 0x0, flags = 4, lun = 0, itt = 2105007284, cmdsn = 642795793, datasn = 0, response_opcode = ISCSI_PDU_SCSI_TASK_MANAGEMENT_RESPONSE, callback = 0x44c300 <test_async_abort_cb>,
private_data = 0x7fffb7bdf270, outdata = {size = 48, data = 0x8e94d0 "B\201"}, outdata_written = 0, payload_offset = 0, payload_len = 0, payload_written = 0, indata = {size = 0, data = 0x0}, scsi_cbdata = {
callback = 0x0, private_data = 0x0, task = 0x0}, scsi_timeout = 0, expxferlen = 0}
(gdb)
The pull request that fixes this can be found here: https://github.com/sahlberg/libiscsi/pull/292