lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <29eba901-ef67-41e6-b2a5-3f653861874d@oracle.com>
Date: Fri, 3 Jan 2025 13:53:19 +0530
From: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, vegard.nossum@...cle.com, linux-kernel@...r.kernel.org,
        Martin Petersen <martin.petersen@...cle.com>, skashyap@...vell.com,
        qutran@...vell.com, Himanshu Madhani <himanshu.madhani@...cle.com>
Subject: Re: [PATCH] CVE-2024-26929: Add vulnerable commit information

Hi Greg,

+CC qla2xxx experts

On 03/01/25 12:22, Greg KH wrote:
> On Thu, Jan 02, 2025 at 12:48:26PM -0800, Harshit Mogalapalli wrote:
>> This CVE fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on
>> chip reset") so add that information in vulnerable commit.
>>
>> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
>> ---
>>   cve/published/2024/CVE-2024-26929.vulnerable | 1 +
>>   1 file changed, 1 insertion(+)
>>   create mode 100644 cve/published/2024/CVE-2024-26929.vulnerable
>>
>> diff --git a/cve/published/2024/CVE-2024-26929.vulnerable b/cve/published/2024/CVE-2024-26929.vulnerable
>> new file mode 100644
>> index 000000000000..b946d6f2786b
>> --- /dev/null
>> +++ b/cve/published/2024/CVE-2024-26929.vulnerable
>> @@ -0,0 +1 @@
>> +4895009c4bb72f71f2e682f1e7d2c2d96e482087
>> -- 
>> 2.46.0
>>
>>
> 
> Ok, by doing this it means this whole CVE needs to be rejected as the
> vulnerable commit never shows up in a a release on its own.  Are you
> sure about this?  If so, let's just reject the CVE.
> 

My reasoning is as follows:

The CVE fix commit: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of 
fcport") states,

""
  Remove one of the free calls and add check for valid fcport. Also use
  function qla2x00_free_fcport() instead of kfree().

@@ -2784,7 +2786,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int 
els_opcode,
             fcport->d_id.b.area, fcport->d_id.b.al_pa);

         wait_for_completion(&elsio->u.els_logo.comp);
-       qla2x00_free_fcport(fcport);

         /* ref: INIT */
         kref_put(&sp->cmd_kref, qla2x00_sp_release);

""

and the same function has this sp->free = qla2x00_els_dcmd_sp_free; so 
fcport is freed twice.

and this qla2xxx_free_fcport(fcport) in the success path is added by 
commit: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip 
reset") so I think this commit introduced the problem.

Thanks,
Harshit


> thanks,
> 
> greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ