| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024062007-CVE-2022-48758-1500@gregkh> Date: Thu, 20 Jun 2024 13:16:38 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-48758: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() Description =========== In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() The bnx2fc_destroy() functions are removing the interface before calling destroy_work. This results multiple WARNings from sysfs_remove_group() as the controller rport device attributes are removed too early. Replace the fcoe_port's destroy_work queue. It's not needed. The problem is easily reproducible with the following steps. Example: $ dmesg -w & $ systemctl enable --now fcoe $ fipvlan -s -c ens2f1 $ fcoeadm -d ens2f1.802 [ 583.464488] host2: libfc: Link down on port (7500a1) [ 583.472651] bnx2fc: 7500a1 - rport not created Yet!! [ 583.490468] ------------[ cut here ]------------ [ 583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0' [ 583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80 [ 583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ... [ 583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1 [ 583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013 [ 584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc] [ 584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80 [ 584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ... [ 584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282 [ 584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000 [ 584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0 [ 584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00 [ 584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400 [ 584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004 [ 584.355379] FS: 0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000 [ 584.394419] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0 [ 584.454888] Call Trace: [ 584.466108] device_del+0xb2/0x3e0 [ 584.481701] device_unregister+0x13/0x60 [ 584.501306] bsg_unregister_queue+0x5b/0x80 [ 584.522029] bsg_remove_queue+0x1c/0x40 [ 584.541884] fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc] [ 584.573823] process_one_work+0x1e3/0x3b0 [ 584.592396] worker_thread+0x50/0x3b0 [ 584.609256] ? rescuer_thread+0x370/0x370 [ 584.628877] kthread+0x149/0x170 [ 584.643673] ? set_kthread_struct+0x40/0x40 [ 584.662909] ret_from_fork+0x22/0x30 [ 584.680002] ---[ end trace 53575ecefa942ece ]--- The Linux kernel CVE team has assigned CVE-2022-48758 to this issue. Affected and fixed versions =========================== Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 4.4.302 with commit 2a12fe8248a3 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 4.9.300 with commit 262550f29c75 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 4.14.265 with commit c93a290c862c Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 4.19.228 with commit de6336b17a13 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 5.4.176 with commit bf2bd892a0cb Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 5.10.96 with commit 00849de10f79 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 5.15.19 with commit b11e34f7bab2 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 5.16.5 with commit ace7b6ef4125 Issue introduced in 3.2 with commit 0cbf32e1681d and fixed in 5.17 with commit 847f9ea4c518 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-48758 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/scsi/bnx2fc/bnx2fc_fcoe.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2a12fe8248a38437b95b942bbe85aced72e6e2eb https://git.kernel.org/stable/c/262550f29c750f7876b6ed1244281e72b64ebffb https://git.kernel.org/stable/c/c93a290c862ccfa404e42d7420565730d67cbff9 https://git.kernel.org/stable/c/de6336b17a1376db1c0f7a528cce8783db0881c0 https://git.kernel.org/stable/c/bf2bd892a0cb14dd2d21f2c658f4b747813be311 https://git.kernel.org/stable/c/00849de10f798a9538242824a51b1756e7110754 https://git.kernel.org/stable/c/b11e34f7bab21df36f02a5e54fb69e858c09a65d https://git.kernel.org/stable/c/ace7b6ef41251c5fe47f629a9a922382fb7b0a6b https://git.kernel.org/stable/c/847f9ea4c5186fdb7b84297e3eeed9e340e83fce
Powered by blists - more mailing lists