Commit 3e41e37d authored May 19, 2023 by Jacek Kalwas Committed by Tomasz Zawadzki Aug 07, 2023

thread: add null check to spdk_io_channel_get_ctx



User of this function might expect that invalid channel ptr (NULL)
passed as an input would return invalid ctx ptr (NULL). If there is
no input check this function returns NULL + ctx size which is invalid
ptr but passing NULL check.

e.g.

ch = get_io_channel(); # returns NULL
ctx = channel_get_ctx(ch); # return non NULL
if (!ctx)
  err

ctx can be used and dereferenced later causing segfault.

Few existing SPDK code paths shall be considered (found by grep).

iscsi/iscsi_subsystem.c-1045-   ch = spdk_get_io_channel(&g_iscsi);
iscsi/iscsi_subsystem.c:1046:   pg = spdk_io_channel_get_ctx(ch);

nvmf/nvmf_rpc.c-2143-   ch = spdk_get_io_channel(ctx->tgt);
nvmf/nvmf_rpc.c:2144:   group = spdk_io_channel_get_ctx(ch);

blobfs/blobfs.c-544-    fs->md_target.md_io_channel = spdk_get_io_channel(&fs->md_target);
blobfs/blobfs.c:545:    fs->md_target.md_fs_channel = spdk_io_channel_get_ctx(fs->md_target.md_io_channel);

Signed-off-by: Jacek Kalwas <jacek.kalwas@intel.com>
Change-Id: I36cd41519f60188373837fd805242afb71934227
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/18279


Reviewed-by: Aleksey Marchuk <alexeymar@nvidia.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Community-CI: Mellanox Build Bot

parent 366980cc

include/spdk/thread.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -21,6 +21,7 @@
		#include "spdk/cpuset.h"
		#include "spdk/env.h"
		#include "spdk/util.h"
		#include "spdk/likely.h"

		#ifdef __cplusplus
		extern "C" {
		@@ -719,6 +720,11 @@ void spdk_put_io_channel(struct spdk_io_channel *ch);
		static inline void *
		spdk_io_channel_get_ctx(struct spdk_io_channel *ch)
		{
		if (spdk_unlikely(!ch)) {
		assert(false);
		return NULL;
		}

		return (uint8_t *)ch + SPDK_IO_CHANNEL_STRUCT_SIZE;
		}