| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Sep 2022 14:33:18 +0800
From: Zixuan Fu <r33s3n6@...il.com>
To: kashyap.desai@...adcom.com, sumit.saxena@...adcom.com,
shivasharan.srikanteshwara@...adcom.com, jejb@...ux.ibm.com,
martin.petersen@...cle.com
Cc: megaraidlinux.pdl@...adcom.com, linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org, baijiaju1990@...il.com,
TOTE Robot <oslab@...nghua.edu.cn>
Subject: [BUG] scsi: megaraid_sas: possible use-after-free caused by bad error handling in megasas_probe_one()
Hello,
Our fault injection tool finds a possible use-after-free in the
megaraid_sas driver in Linux 5.10.0:
In the file drivers/scsi/megaraid/megaraid_sas_base.c:
In megasas_io_attach(), the call to scsi_add_host() may fail:
6814: if (scsi_add_host(host, &instance->pdev->dev)) {
...
6818: return -ENODEV;
6819: }
This error is then propagated to its caller megasas_probe_one().
7414: if (megasas_io_attach(instance))
7415: goto fail_io_attach;
In error handling code of megasas_probe_one(), it calls scsi_host_put():
7457: scsi_host_put(host);
The function scsi_host_put() calls scsi_host_dev_release() to free `host`,
which contains a variable `instance`.
But megasas_probe_one() calls megasas_init_fw() before:
7372: if (megasas_init_fw(instance))
In megasas_init_fw(), it starts a timer:
6369: megasas_start_timer(instance);
And megasas_probe_one() does nothing about it in error handling code. When
the timer expires, it accesses `instance`, causing a use-after-free bug.
I am not quite sure how to fix this possible bug. Any feedback would be
appreciated, thanks!
Reported-by: TOTE Robot <oslab@...nghua.edu.cn>
Best wishes,
Zixuan Fu
Powered by blists - more mailing lists