| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122942-blissful-framing-214e@gregkh>
Date: Sun, 29 Dec 2024 08:24:14 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
linux-cve-announce@...r.kernel.org, skashyap@...vell.com,
Vegard Nossum <vegard.nossum@...cle.com>
Subject: Re: CVE-2024-26929: scsi: qla2xxx: Fix double free of fcport
On Sun, Dec 29, 2024 at 12:28:01AM +0530, Harshit Mogalapalli wrote:
> Hi,
>
> On 01/05/24 10:51, Greg Kroah-Hartman wrote:
> > Description
> > ===========
> >
> > In the Linux kernel, the following vulnerability has been resolved:
> >
> > scsi: qla2xxx: Fix double free of fcport
> >
> > The server was crashing after LOGO because fcport was getting freed twice.
> >
> > -----------[ cut here ]-----------
> > kernel BUG at mm/slub.c:371!
> > invalid opcode: 0000 1 SMP PTI
> > CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1
> > Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
> > RIP: 0010:set_freepointer.part.57+0x0/0x10
> > RSP: 0018:ffffb07107027d90 EFLAGS: 00010246
> > RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400
> > RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500
> > RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009
> > R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500
> > R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58
> > FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > PKRU: 55555554
> > Call Trace:
> > kfree+0x238/0x250
> > qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]
> > ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]
> > qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
> > ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
> > ? kernfs_fop_write+0x11e/0x1a0
> >
> > Remove one of the free calls and add check for valid fcport. Also use
> > function qla2x00_free_fcport() instead of kfree().
> >
> > The Linux kernel CVE team has assigned CVE-2024-26929 to this issue.
> >
> >
> > Affected and fixed versions
> > ===========================
> >
> > Fixed in 5.15.154 with commit b03e626bd6d3
> > Fixed in 6.1.84 with commit 282877633b25
> > Fixed in 6.6.24 with commit f85af9f1aa5e
> > Fixed in 6.7.12 with commit 9b43d2884b54
> > Fixed in 6.8.3 with commit 846fb9f112f6
> > Fixed in 6.9-rc2 with commit 82f522ae0d97
> >
>
>
> I think the broken commit/vuln commit is: 4895009c4bb7 ("scsi: qla2xxx:
> Prevent command send on chip reset") and this is only present in stable
> kernels newer than (>=) 5.15.y.
>
> Is it worth putting the vuln commit information if we find out what the
> broken/vuln commit is while trying to backport it to older stable kernels ?
Yes it is, our tools provide for this, see:
https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/cve/schema#n69
for how to do it (i.e. give us a git id and we can add a .vulnerable
file so the tools pick it up properly, or send us a patch for that!)
Do you want to send a patch for this, or do you need us to?
thanks,
greg k-h
Powered by blists - more mailing lists