Linux Kernel LUN_RESET Handling Vulnerability in SCSI Target

A vulnerability in the Linux kernel's SCSI target implementation can lead to improper handling of LUN_RESET commands, causing an initiator to mistakenly believe that all running I/O commands have been cleared. This issue arises when LUN_RESET commands are issued for multiple sessions, leading to a scenario where commands are not properly synchronized or managed, potentially causing data integrity issues.

Impact

Exploitation of this vulnerability can cause a logic error in the SCSI command handling process, where an initiator may incorrectly assume that certain commands have been aborted or completed, leading to potential data corruption or mismanagement of I/O operations.

Reproduction

To reproduce this vulnerability, initiate multiple I/O commands across two sessions in the SCSI target layer. Then, send a LUN_RESET command for each session. Session one will move all commands to a local drain list, while session two will not recognize this change, leading to a successful LUN_RESET response. This causes session two's initiator to incorrectly assume that its commands have been cleared, allowing them to be restarted. Once these commands complete on the backend, the target will return aborted task statuses, creating a mismatch that can confuse the initiator's command tracking.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation.