lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 28 Oct 2022 13:07:36 +0800
From:   Zheng Wang <zyytlz.wz@....com>
To:     james.smart@...adcom.com
Cc:     dick.kennedy@...adcom.com, jejb@...ux.ibm.com,
        martin.petersen@...cle.com, linux-scsi@...r.kernel.org,
        hackerzheng666@...il.com, alex000young@...il.com,
        security@...nel.org, linux-kernel@...r.kernel.org,
        Zheng Wang <zyytlz.wz@....com>
Subject: [PATCH] scsi: lpfc: fix double free bug in lpfc_bsg_write_ebuf_set

When error occurs, it frees dmabuf in both lpfc_bsg_write_ebuf_set
and lpfc_bsg_issue_mbox.

Fix it by removing free code in lpfc_bsg_write_ebuf_set.

Reported-by: Zheng Wang <hackerzheng666@...il.com>
Reported-by: Zhuorao Yang <alex000young@...il.com>

Fixes: 7ad20aa9d39a ("[SCSI] lpfc 8.3.24: Extend BSG infrastructure and add link diagnostics")

Signed-off-by: Zheng Wang <zyytlz.wz@....com>
---
 drivers/scsi/lpfc/lpfc_bsg.c | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_bsg.c b/drivers/scsi/lpfc/lpfc_bsg.c
index ac0c7ccf2eae..7362d9c1a50b 100644
--- a/drivers/scsi/lpfc/lpfc_bsg.c
+++ b/drivers/scsi/lpfc/lpfc_bsg.c
@@ -4439,15 +4439,13 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
 
 		dd_data = kmalloc(sizeof(struct bsg_job_data), GFP_KERNEL);
 		if (!dd_data) {
-			rc = -ENOMEM;
-			goto job_error;
+			return -ENOMEM;
 		}
 
 		/* mailbox command structure for base driver */
 		pmboxq = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
 		if (!pmboxq) {
-			rc = -ENOMEM;
-			goto job_error;
+			return -ENOMEM;
 		}
 		memset(pmboxq, 0, sizeof(LPFC_MBOXQ_t));
 		pbuf = (uint8_t *)phba->mbox_ext_buf_ctx.mbx_dmabuf->virt;
@@ -4480,8 +4478,7 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
 		lpfc_printf_log(phba, KERN_ERR, LOG_LIBDFC,
 				"2970 Failed to issue SLI_CONFIG ext-buffer "
 				"mailbox command, rc:x%x\n", rc);
-		rc = -EPIPE;
-		goto job_error;
+		return -EPIPE;
 	}
 
 	/* wait for additional external buffers */
@@ -4489,14 +4486,6 @@ lpfc_bsg_write_ebuf_set(struct lpfc_hba *phba, struct bsg_job *job,
 	bsg_job_done(job, bsg_reply->result,
 		       bsg_reply->reply_payload_rcv_len);
 	return SLI_CONFIG_HANDLED;
-
-job_error:
-	if (pmboxq)
-		mempool_free(pmboxq, phba->mbox_mem_pool);
-	lpfc_bsg_dma_page_free(phba, dmabuf);
-	kfree(dd_data);
-
-	return rc;
 }
 
 /**
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ