| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com>
Date: Tue, 24 Jun 2025 19:58:24 +0800
From: jackysliu <1972843537@...com>
To: anil.gurumurthy@...gic.com
Cc: sudarsana.kalluru@...gic.com,
James.Bottomley@...senPartnership.com,
martin.petersen@...cle.com,
linux-scsi@...r.kernel.org,
linux-kernel@...r.kernel.org,
jackysliu <1972843537@...com>
Subject: [PATCH] [PATCH] scsi:bfa: Double-free vulnerability fix
In the QLogic BR-series Fibre Channel driver (bfad),
there exists a double-free vulnerability.
When the bfad_im_probe() function fails during initialization,
the memory pointed to by bfad->im is freed without
setting bfad->im to NULL.
Subsequently, during driver uninstallation,
when the state machine enters the bfad_sm_stopping state
and calls the bfad_im_probe_undo() function,
it attempts to free the memory pointed to by bfad->im again,
thereby triggering a double-free vulnerability.
Signed-off-by: jackysliu <1972843537@...com>
---
drivers/scsi/bfa/bfad_im.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
index a719a18f0fbc..c21210064fbd 100644
--- a/drivers/scsi/bfa/bfad_im.c
+++ b/drivers/scsi/bfa/bfad_im.c
@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
kfree(im);
+ bfad->im = NULL;
return BFA_STATUS_FAILED;
}
--
2.43.5
Powered by blists - more mailing lists