| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221227001001.51626-1-zh.nvgt@gmail.com>
Date: Mon, 26 Dec 2022 16:10:01 -0800
From: Hang Zhang <zh.nvgt@...il.com>
To: unlisted-recipients:; (no To-header on input)
Cc: Adaptec OEM Raid Solutions <aacraid@...rosemi.com>,
"James E . J . Bottomley" <jejb@...ux.ibm.com>,
"Martin K . Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
Hang Zhang <zh.nvgt@...il.com>
Subject: [PATCH] scsi: dpt_i2o: fix a potential use-after-free in __adpt_reset()
__adpt_reset() invokes adpt_hba_reset(), which can free "pHba"
on error paths and return an negative error code in those
situations. The problem is that "pHba" is from the global pointer
"cmd->device->host->hostdata[0]", regardless of the possible free
of "pHba", that original global pointer is never nullified and
thus may become a dangling pointer and be dereferenced later,
potentially causing a use-after-free.
Fix the issue by nullifying "cmd->device->host->hostdata[0]" if
adpt_hba_reset() returns a negative error code to __adpt_reset(),
which indicates the free of "pHba". Also add a NULL check before
any dereference of "pHba", or the aliased global pointer. Note
that the similar NULL check already exists at other places, like
in adpt_queue_lck().
Signed-off-by: Hang Zhang <zh.nvgt@...il.com>
---
drivers/scsi/dpt_i2o.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c
index 2e9155ba7408..9827517a1898 100644
--- a/drivers/scsi/dpt_i2o.c
+++ b/drivers/scsi/dpt_i2o.c
@@ -753,6 +753,9 @@ static int __adpt_reset(struct scsi_cmnd* cmd)
char name[32];
pHba = (adpt_hba*)cmd->device->host->hostdata[0];
+ if (!pHba) {
+ return FAILED;
+ }
strncpy(name, pHba->name, sizeof(name));
printk(KERN_WARNING"%s: Hba Reset: scsi id %d: tid: %d\n", name, cmd->device->channel, pHba->channel[cmd->device->channel].tid);
rcode = adpt_hba_reset(pHba);
@@ -760,6 +763,7 @@ static int __adpt_reset(struct scsi_cmnd* cmd)
printk(KERN_WARNING"%s: HBA reset complete\n", name);
return SUCCESS;
} else {
+ cmd->device->host->hostdata[0] = NULL;
printk(KERN_WARNING"%s: HBA reset failed (%x)\n", name, rcode);
return FAILED;
}
--
2.39.0
Powered by blists - more mailing lists