proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-01 02:27:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3ea8e52ec9
mirror_ubuntu-kernels/drivers/scsi/qedf
History
Letu Ren fbfe96869b scsi: qedf: Fix a UAF bug in __qedf_probe() 
In __qedf_probe(), if qedf->cdev is NULL which means
qed_ops->common->probe() failed, then the program will goto label err1, and
scsi_host_put() will free lport->host pointer. Because the memory qedf
points to is allocated by libfc_host_alloc(), it will be freed by
scsi_host_put(). However, the if statement below label err0 only checks
whether qedf is NULL but doesn't check whether the memory has been freed.
So a UAF bug can occur.

There are two ways to reach the statements below err0. The first one is
described as before, "qedf" should be set to NULL. The second one is goto
"err0" directly. In the latter scenario qedf hasn't been changed and it has
the initial value NULL. As a result the if statement is not reachable in
any situation.

The KASAN logs are as follows:

[    2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0
[    2.312969]
[    2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    2.312969] Call Trace:
[    2.312969]  dump_stack_lvl+0x59/0x7b
[    2.312969]  print_address_description+0x7c/0x3b0
[    2.312969]  ? __qedf_probe+0x5dcf/0x6bc0
[    2.312969]  __kasan_report+0x160/0x1c0
[    2.312969]  ? __qedf_probe+0x5dcf/0x6bc0
[    2.312969]  kasan_report+0x4b/0x70
[    2.312969]  ? kobject_put+0x25d/0x290
[    2.312969]  kasan_check_range+0x2ca/0x310
[    2.312969]  __qedf_probe+0x5dcf/0x6bc0
[    2.312969]  ? selinux_kernfs_init_security+0xdc/0x5f0
[    2.312969]  ? trace_rpm_return_int_rcuidle+0x18/0x120
[    2.312969]  ? rpm_resume+0xa5c/0x16e0
[    2.312969]  ? qedf_get_generic_tlv_data+0x160/0x160
[    2.312969]  local_pci_probe+0x13c/0x1f0
[    2.312969]  pci_device_probe+0x37e/0x6c0

Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Acked-by: Saurav Kashyap <skashyap@marvell.com>
Co-developed-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2022-09-15 21:26:55 -04:00
..
drv_fcoe_fw_funcs.c qed: Remove e4_ and _e4 from FW HSI 2021-10-04 12:55:48 +01:00
drv_fcoe_fw_funcs.h qed: Remove e4_ and _e4 from FW HSI 2021-10-04 12:55:48 +01:00
drv_scsi_fw_funcs.c
drv_scsi_fw_funcs.h
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
qedf_attr.c scsi: qedf: Remove unnecessary code 2022-04-25 23:36:31 -04:00
qedf_dbg.c scsi: qedf: Use vzalloc() instead of vmalloc()/memset(0) 2021-05-21 16:31:17 -04:00
qedf_dbg.h scsi: qedf: Remove unused include of linux/version.h 2021-04-05 23:45:23 -04:00
qedf_debugfs.c scsi: qedf: Demote obvious misuse of kerneldoc to standard comment blocks 2020-07-15 16:01:58 -04:00
qedf_els.c qed: Remove e4_ and _e4 from FW HSI 2021-10-04 12:55:48 +01:00
qedf_fip.c scsi: qedf: Remove redundant initialization of variable rc 2020-06-02 21:44:14 -04:00
qedf_hsi.h
qedf_io.c scsi: qedf: Fix typo in comment 2022-05-23 23:24:10 -04:00
qedf_main.c scsi: qedf: Fix a UAF bug in __qedf_probe() 2022-09-15 21:26:55 -04:00
qedf_version.h scsi: qedf: Update the version to 8.42.3.0 2019-08-29 18:51:19 -04:00
qedf.h scsi: qedf: Stop using the SCSI pointer 2022-02-22 21:11:05 -05:00