| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20211112120641.16073-1-fantasquex@gmail.com>
Date: Fri, 12 Nov 2021 20:06:41 +0800
From: Letu Ren <fantasquex@...il.com>
To: skashyap@...vell.com, jhasan@...vell.com, jejb@...ux.ibm.com,
martin.petersen@...cle.com
Cc: GR-QLogic-Storage-Upstream@...vell.com, linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org, Letu Ren <fantasquex@...il.com>,
Zheyu Ma <zheyuma97@...il.com>, Wende Tan <twd2.me@...il.com>
Subject: [PATCH] scsi: qedf: Fix a UAF bug in __qedf_probe
In __qedf_probe, if `qedf->cdev` is NULL which means
qed_ops->common->probe() failed, then the program will goto label err1,
scsi_host_put() will free `lport->host` pointer. Because the memory `qedf`
points to is allocated by libfc_host_alloc(), it will be freed by
scsi_host_put(). However, the if statement below label err0 only checks
whether qedf is NULL but doesn't check whether the memory has been freed.
So a UAF bug occurred.
There are two ways to get to the statements below err0. the first one is
described as before. `qedf` should be set to NULL. The second way is goto
`err0` directly. In this way `qedf` hasn't been changed and it has the
initial value `NULL`. So the program wont't go to the if statement in any
situation.
The KASAN logs are as follows:
[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0
[ 2.312969]
[ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[ 2.312969] Call Trace:
[ 2.312969] dump_stack_lvl+0x59/0x7b
[ 2.312969] print_address_description+0x7c/0x3b0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] __kasan_report+0x160/0x1c0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] kasan_report+0x4b/0x70
[ 2.312969] ? kobject_put+0x25d/0x290
[ 2.312969] kasan_check_range+0x2ca/0x310
[ 2.312969] __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0
[ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120
[ 2.312969] ? rpm_resume+0xa5c/0x16e0
[ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160
[ 2.312969] local_pci_probe+0x13c/0x1f0
[ 2.312969] pci_device_probe+0x37e/0x6c0
Reported-by: Zheyu Ma <zheyuma97@...il.com>
Signed-off-by: Letu Ren <fantasquex@...il.com>
Co-developed-by: Wende Tan <twd2.me@...il.com>
Signed-off-by: Wende Tan <twd2.me@...il.com>
---
drivers/scsi/qedf/qedf_main.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index 42d0d941dba5..3ea552acd82a 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -3683,11 +3683,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode)
err1:
scsi_host_put(lport->host);
err0:
- if (qedf) {
- QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n");
-
- clear_bit(QEDF_PROBING, &qedf->flags);
- }
return rc;
}
--
2.33.1
Powered by blists - more mailing lists