From patchwork Thu Oct 13 17:52:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 2128 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp404463wrs; Thu, 13 Oct 2022 10:55:08 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6EhImPsvOXd5oM+xmdVXFp5ncS3vGnel+fk0zvm6zb6waxhSZMJDMWOMeijumK1xBBf0O/ X-Received: by 2002:a17:902:e748:b0:185:3e6d:6146 with SMTP id p8-20020a170902e74800b001853e6d6146mr952357plf.128.1665683708208; Thu, 13 Oct 2022 10:55:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665683708; cv=none; d=google.com; s=arc-20160816; b=gltaMrdjvUPNbDJgy8YCeTbWW0KTNfxsIZphsMydXKykWGHaseYBx0m549gusY7dBs 5vUxmaEh8f8vxxpR6+jrJA4GjTqeZSWnRCp9nG6D7I9iOCLFF5y1u8WU59aDJHkpYvzA 9sVMDVey66qNyFUJKbIae8qxp9zRq04eu9p5WCv2zbvAt+Hi05Pp2j6vArX63gW4ofsP ZBeoqDvwqosomXHE8pgbWg3+AP5WIXtZdwgm8lgQ9WJ2X7DlwSzvEXGidpU/HIS/uW94 B7b79GiYZNRlcSiNULEHDtByWlVkjCeS143ws/wrZvWpGzGbqIINMRcSXN/lhi5/cBgH f7hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kTG3mTCY1FEC+SE2DpCuP6HI3Fi3ex2cTgG1YnKfAAw=; b=Udgdz584ku/YD5QXCxZ9larbrkakuJCm41P3RvQEi8QFHGgWMa8b2EJJ61OB+lYIzH 6X9n9tqt5D8qvv5a3vlEgIkvS8RXTS9yYqZk7IHFZbRi3QHZqvZibfdtu0fJ/+CWGTz1 EKYgsavT5Tip/UqG+9QKkt1EiwH5qRInYrXuRXsUKeEzjTPK95eY2NFg5wz6aR04B8rZ SUGeOSFv8R9m1fptIVPCMpSc8NFPLUZ8pdv7xJMcpcTP6PymZ+GEiFjr53IwvJh/U/CN PhqmYkN2zuRA2I7Bw9PMyn8KYVCfRCeq0fT28YljIzcEw/++wZIUioFbwaiyVvjq3vPz JFqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O6ijnK+N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v10-20020a63b64a000000b00438e839828bsi64889pgt.72.2022.10.13.10.54.55; Thu, 13 Oct 2022 10:55:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O6ijnK+N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229922AbiJMRy1 (ORCPT + 99 others); Thu, 13 Oct 2022 13:54:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229906AbiJMRxw (ORCPT ); Thu, 13 Oct 2022 13:53:52 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6456A153827; Thu, 13 Oct 2022 10:53:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BC366B82023; Thu, 13 Oct 2022 17:53:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31F70C433D7; Thu, 13 Oct 2022 17:53:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683593; bh=3z4xjd6rC4Y+qNEmVpMFVeGkTQLZ9ph+XAsHLmwze58=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O6ijnK+NrENLazrotZ+H0ptxrsmSL9K6CxpXLXvCcp4FvT7ap3tvWqKJ8C3vR3/83 scI4Z9pbmYRU+TTzctnkZM55U9H2LSBeJTXsyhpE3Ks2cuf9krwrTCS3NtbrH5JQzL JvNmMq27txi+u1qXuqJ4JLvjap9QApHIFJx48sgw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Saurav Kashyap , Wende Tan , Letu Ren , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.4 08/38] scsi: qedf: Fix a UAF bug in __qedf_probe() Date: Thu, 13 Oct 2022 19:52:09 +0200 Message-Id: <20221013175144.546603830@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175144.245431424@linuxfoundation.org> References: <20221013175144.245431424@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1746595960106503258?= X-GMAIL-MSGID: =?utf-8?q?1746595960106503258?= From: Letu Ren [ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ] In __qedf_probe(), if qedf->cdev is NULL which means qed_ops->common->probe() failed, then the program will goto label err1, and scsi_host_put() will free lport->host pointer. Because the memory qedf points to is allocated by libfc_host_alloc(), it will be freed by scsi_host_put(). However, the if statement below label err0 only checks whether qedf is NULL but doesn't check whether the memory has been freed. So a UAF bug can occur. There are two ways to reach the statements below err0. The first one is described as before, "qedf" should be set to NULL. The second one is goto "err0" directly. In the latter scenario qedf hasn't been changed and it has the initial value NULL. As a result the if statement is not reachable in any situation. The KASAN logs are as follows: [ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] [ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 2.312969] Call Trace: [ 2.312969] dump_stack_lvl+0x59/0x7b [ 2.312969] print_address_description+0x7c/0x3b0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] __kasan_report+0x160/0x1c0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] kasan_report+0x4b/0x70 [ 2.312969] ? kobject_put+0x25d/0x290 [ 2.312969] kasan_check_range+0x2ca/0x310 [ 2.312969] __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 [ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 [ 2.312969] ? rpm_resume+0xa5c/0x16e0 [ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 [ 2.312969] local_pci_probe+0x13c/0x1f0 [ 2.312969] pci_device_probe+0x37e/0x6c0 Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com Reported-by: Zheyu Ma Acked-by: Saurav Kashyap Co-developed-by: Wende Tan Signed-off-by: Wende Tan Signed-off-by: Letu Ren Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/qedf/qedf_main.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index c95e04cc6424..f864ef059d29 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3544,11 +3544,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) err1: scsi_host_put(lport->host); err0: - if (qedf) { - QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); - - clear_bit(QEDF_PROBING, &qedf->flags); - } return rc; }