Linux Kernel SCSI Libiscsi Uninitialized Data Vulnerability in iSER Setup

A vulnerability exists in the Linux kernel's SCSI libiscsi component, specifically during the iSCSI Extensions for RDMA (iSER) setup process. The issue arises because the 'dd_data' field of the 'iscsi_conn' structure is initialized without checking if memory has been allocated. This unconditioned initialization can lead to a panic if the 'ib_fast_reg_mr' allocation fails, causing an invalid pointer dereference when the connection is being torn down. The problem has been addressed by modifying the code to only set 'dd_data' when memory is successfully allocated.

Impact

The vulnerability can cause a kernel panic due to an invalid pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, initiate an iSCSI connection over RDMA using a configuration that triggers the 'ib_fast_reg_mr' allocation. If this allocation fails, the system will panic because 'iscsi_conn->dd_data' is set without ensuring that memory is available, leading to a dereference of a null or invalid pointer during the connection's teardown process.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.