CVE-2024-26929 scsi: qla2xxx: Fix double free of fcport

2024-05-0105:17:06

Linux

github.com

kernel

vulnerability

linux

qla2xxx

freeing

fcport

crash

hpe proliant

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

In the Linux kernel, the following vulnerability has been resolved:

scsi: qla2xxx: Fix double free of fcport

The server was crashing after LOGO because fcport was getting freed twice.

-----------[ cut here ]-----------
kernel BUG at mm/slub.c:371!
invalid opcode: 0000 1 SMP PTI
CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1
Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021
RIP: 0010:set_freepointer.part.57+0x0/0x10
RSP: 0018:ffffb07107027d90 EFLAGS: 00010246
RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400
RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500
RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009
R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500
R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58
FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
kfree+0x238/0x250
qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]
? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]
qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]
? kernfs_fop_write+0x11e/0x1a0

Remove one of the free calls and add check for valid fcport. Also use
function qla2x00_free_fcport() instead of kfree().

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
    ],
    "vendor": "linux",
    "product": "linux_kernel",
    "versions": [
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "b03e626bd6d3",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "282877633b25",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "f85af9f1aa5e",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "9b43d2884b54",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "846fb9f112f6",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "1da177e4c3f4",
        "lessThan": "82f522ae0d97",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "5.15.154",
        "versionType": "custom",
        "lessThanOrEqual": "5.16"
      },
      {
        "status": "unaffected",
        "version": "6.1.84",
        "versionType": "custom",
        "lessThanOrEqual": "6.2"
      },
      {
        "status": "unaffected",
        "version": "6.6.24",
        "versionType": "custom",
        "lessThanOrEqual": "6.7"
      },
      {
        "status": "unaffected",
        "version": "6.7.12",
        "versionType": "custom",
        "lessThanOrEqual": "6.8"
      },
      {
        "status": "unaffected",
        "version": "6.8.3",
        "versionType": "custom",
        "lessThanOrEqual": "6.9"
      },
      {
        "status": "unaffected",
        "version": "6.9",
        "versionType": "custom",
        "lessThanOrEqual": "*"
      }
    ],
    "defaultStatus": "unknown"
  }
]