In the Linux kernel, the following vulnerability has been resolved: scsi:
core: Fix unremoved procfs host directory regression Commit fc663711b944
(“scsi: core: Remove the /proc/scsi/${proc_name} directory earlier”) fixed
a bug related to modules loading/unloading, by adding a call to
scsi_proc_hostdir_rm() on scsi_remove_host(). But that led to a potential
duplicate call to the hostdir_rm() routine, since it’s also called from
scsi_host_dev_release(). That triggered a regression report, which was then
fixed by commit be03df3d4bfe (“scsi: core: Fix a procfs host directory
removal regression”). The fix just dropped the hostdir_rm() call from
dev_release(). But it happens that this proc directory is created on
scsi_host_alloc(), and that function “pairs” with scsi_host_dev_release(),
while scsi_remove_host() pairs with scsi_add_host(). In other words, it
seems the reason for removing the proc directory on dev_release() was meant
to cover cases in which a SCSI host structure was allocated, but the call
to scsi_add_host() didn’t happen. And that pattern happens to exist in some
error paths, for example. Syzkaller causes that by using USB raw gadget
device, error’ing on usb-storage driver, at usb_stor_probe2(). By checking
that path, we can see that the BadDevice label leads to a scsi_host_put()
after a SCSI host allocation, but there’s no call to scsi_add_host() in
such path. That leads to messages like this in dmesg (and a leak of the
SCSI host proc structure): usb-storage 4-1:87.51: USB Mass Storage device
detected proc_dir_entry ‘scsi/usb-storage’ already registered WARNING: CPU:
1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0
fs/proc/generic.c:376 The proper fix seems to still call
scsi_proc_hostdir_rm() on dev_release(), but guard that with the state
check for SHOST_CREATED; there is even a comment in scsi_host_dev_release()
detailing that: such conditional is meant for cases where the SCSI host was
allocated but there was no calls to {add,remove}_host(), like the
usb-storage case. This is what we propose here and with that, the error
path of usb-storage does not trigger the warning anymore.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < 5.4.0-189.209 | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-116.126 | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1128.138 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1065.71 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1065.71~20.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < 5.4.0-1133.140 | UNKNOWN |
git.kernel.org/linus/f23a4d6e07570826fe95023ca1aa96a011fa9f84 (6.9-rc2)
git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac
git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889
git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1
git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee
git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c
git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320
git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84
git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7
launchpad.net/bugs/cve/CVE-2024-26935
nvd.nist.gov/vuln/detail/CVE-2024-26935
security-tracker.debian.org/tracker/CVE-2024-26935
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
ubuntu.com/security/notices/USN-6878-1
ubuntu.com/security/notices/USN-6896-1
ubuntu.com/security/notices/USN-6896-2
ubuntu.com/security/notices/USN-6896-3
ubuntu.com/security/notices/USN-6896-4
ubuntu.com/security/notices/USN-6896-5
ubuntu.com/security/notices/USN-6898-1
ubuntu.com/security/notices/USN-6898-2
ubuntu.com/security/notices/USN-6898-3
ubuntu.com/security/notices/USN-6898-4
ubuntu.com/security/notices/USN-6917-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2024-26935