[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2025010651-hedging-scrimmage-2509@gregkh>
Date: Mon, 6 Jan 2025 17:25:02 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, vegard.nossum@...cle.com, linux-kernel@...r.kernel.org,
Martin Petersen <martin.petersen@...cle.com>, skashyap@...vell.com,
qutran@...vell.com, Himanshu Madhani <himanshu.madhani@...cle.com>
Subject: Re: [PATCH] CVE-2024-26929: Add vulnerable commit information
On Fri, Jan 03, 2025 at 01:53:19PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> +CC qla2xxx experts
>
> On 03/01/25 12:22, Greg KH wrote:
> > On Thu, Jan 02, 2025 at 12:48:26PM -0800, Harshit Mogalapalli wrote:
> > > This CVE fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on
> > > chip reset") so add that information in vulnerable commit.
> > >
> > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
> > > ---
> > > cve/published/2024/CVE-2024-26929.vulnerable | 1 +
> > > 1 file changed, 1 insertion(+)
> > > create mode 100644 cve/published/2024/CVE-2024-26929.vulnerable
> > >
> > > diff --git a/cve/published/2024/CVE-2024-26929.vulnerable b/cve/published/2024/CVE-2024-26929.vulnerable
> > > new file mode 100644
> > > index 000000000000..b946d6f2786b
> > > --- /dev/null
> > > +++ b/cve/published/2024/CVE-2024-26929.vulnerable
> > > @@ -0,0 +1 @@
> > > +4895009c4bb72f71f2e682f1e7d2c2d96e482087
> > > --
> > > 2.46.0
> > >
> > >
> >
> > Ok, by doing this it means this whole CVE needs to be rejected as the
> > vulnerable commit never shows up in a a release on its own. Are you
> > sure about this? If so, let's just reject the CVE.
> >
>
> My reasoning is as follows:
>
> The CVE fix commit: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of
> fcport") states,
>
> ""
> Remove one of the free calls and add check for valid fcport. Also use
> function qla2x00_free_fcport() instead of kfree().
>
> @@ -2784,7 +2786,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int
> els_opcode,
> fcport->d_id.b.area, fcport->d_id.b.al_pa);
>
> wait_for_completion(&elsio->u.els_logo.comp);
> - qla2x00_free_fcport(fcport);
>
> /* ref: INIT */
> kref_put(&sp->cmd_kref, qla2x00_sp_release);
>
> ""
>
> and the same function has this sp->free = qla2x00_els_dcmd_sp_free; so
> fcport is freed twice.
>
> and this qla2xxx_free_fcport(fcport) in the success path is added by commit:
> 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset") so I
> think this commit introduced the problem.
Thanks for this, I've now rejected the cve entirely.
greg k-h
Powered by blists - more mailing lists