Linux Kernel Race Condition Vulnerability in iSCSI Target Login Process

A race condition vulnerability has been identified in the Linux kernel's iSCSI target implementation. This issue arises when a malicious initiator sends random data immediately after a login PDU. The 'iscsi_target_sk_data_ready()' callback then schedules the 'login_work' while the negotiation may conclude without clearing the 'LOGIN_FLAGS_INITIAL_PDU' flag. As a result, the 'login_work' function continues to reschedule itself indefinitely. If the initiator subsequently drops the connection, the 'iscsit_conn' structure is freed, leading 'login_work' to dereference a released socket structure, causing a kernel crash due to a NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to a kernel crash caused by a NULL pointer dereference, where the address '0000000000000230' is accessed. This occurs after the 'login_work' function tries to use a socket structure that has already been released, following the premature termination of an iSCSI connection.

Reproduction

To reproduce this vulnerability, an iSCSI initiator must be used to send random data immediately after a login PDU is transmitted to the iSCSI target. This can create a situation where the 'LOGIN_FLAGS_INITIAL_PDU' flag is not properly cleared, allowing the 'login_work' to become stuck in a rescheduling loop. Once this loop is established, dropping the iSCSI connection will trigger the kernel crash by causing the 'login_work' to attempt to access a freed socket structure.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.