lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2025010651-hedging-scrimmage-2509@gregkh>
Date: Mon, 6 Jan 2025 17:25:02 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
Cc: cve@...nel.org, vegard.nossum@...cle.com, linux-kernel@...r.kernel.org,
	Martin Petersen <martin.petersen@...cle.com>, skashyap@...vell.com,
	qutran@...vell.com, Himanshu Madhani <himanshu.madhani@...cle.com>
Subject: Re: [PATCH] CVE-2024-26929: Add vulnerable commit information

On Fri, Jan 03, 2025 at 01:53:19PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
> 
> +CC qla2xxx experts
> 
> On 03/01/25 12:22, Greg KH wrote:
> > On Thu, Jan 02, 2025 at 12:48:26PM -0800, Harshit Mogalapalli wrote:
> > > This CVE fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on
> > > chip reset") so add that information in vulnerable commit.
> > > 
> > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@...cle.com>
> > > ---
> > >   cve/published/2024/CVE-2024-26929.vulnerable | 1 +
> > >   1 file changed, 1 insertion(+)
> > >   create mode 100644 cve/published/2024/CVE-2024-26929.vulnerable
> > > 
> > > diff --git a/cve/published/2024/CVE-2024-26929.vulnerable b/cve/published/2024/CVE-2024-26929.vulnerable
> > > new file mode 100644
> > > index 000000000000..b946d6f2786b
> > > --- /dev/null
> > > +++ b/cve/published/2024/CVE-2024-26929.vulnerable
> > > @@ -0,0 +1 @@
> > > +4895009c4bb72f71f2e682f1e7d2c2d96e482087
> > > -- 
> > > 2.46.0
> > > 
> > > 
> > 
> > Ok, by doing this it means this whole CVE needs to be rejected as the
> > vulnerable commit never shows up in a a release on its own.  Are you
> > sure about this?  If so, let's just reject the CVE.
> > 
> 
> My reasoning is as follows:
> 
> The CVE fix commit: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of
> fcport") states,
> 
> ""
>  Remove one of the free calls and add check for valid fcport. Also use
>  function qla2x00_free_fcport() instead of kfree().
> 
> @@ -2784,7 +2786,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int
> els_opcode,
>             fcport->d_id.b.area, fcport->d_id.b.al_pa);
> 
>         wait_for_completion(&elsio->u.els_logo.comp);
> -       qla2x00_free_fcport(fcport);
> 
>         /* ref: INIT */
>         kref_put(&sp->cmd_kref, qla2x00_sp_release);
> 
> ""
> 
> and the same function has this sp->free = qla2x00_els_dcmd_sp_free; so
> fcport is freed twice.
> 
> and this qla2xxx_free_fcport(fcport) in the success path is added by commit:
> 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset") so I
> think this commit introduced the problem.

Thanks for this, I've now rejected the cve entirely.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ