From patchwork Mon Oct 24 11:28:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 8657 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp421693wru; Mon, 24 Oct 2022 05:21:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5BfmweI+yhfyn1Yox83/IAsTxzdQEvkEp3YmlzKOUEwAlyADGwlgtX0ycHxWkx1OmgGB8S X-Received: by 2002:a05:6402:33c5:b0:447:e4a3:c930 with SMTP id a5-20020a05640233c500b00447e4a3c930mr30297976edc.401.1666614062754; Mon, 24 Oct 2022 05:21:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666614062; cv=none; d=google.com; s=arc-20160816; b=MkTHz1F1iOAJl8LcC0+Ltxr/W/4Ll3FJH+rowFs1DxxTwrwN6E6ti+EFYGaWXfjk0h kevAZ2zHSBYny5Hx2fqsYqIhu3P1wtQU3hoKRO5J8PyXwgU31y3DC78iV7AQDvHb8OIu niESSLAGzLR2eO8kv13vDJrIfswDv6WvwujRrZI729Id2bLpk/zHBkekmrjklQHu9pK0 UrKS7d4lpLZw3jJwqPiHQjtrtDperbHXNHqgHy4VXXJTt/LPhCL/0h1aNs3BfdbJc0hP ux3cqnEMUBLGugJwZN4+qU+RmsUG3Kj+n243bjw2+sjzPP9VUFrxu0rfe6pAUHSXpriN aV3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kaIg8SAxiwHzzibYdkQ2qxRAPV7KueIgKgANmhOD2ZY=; b=QvlC0GpRLGicOnHQfY0fYKqWsn9tQy0ouXBsajg/+wDRhCjK0ENNfLLzCTC9rXZcAB uRXpQKf/A1pEvKkqaHhov307fMp6jzis7or4xSZwInXzULZoHUc2+W8KUy8mEjKReoFS 50/6sIabY/dZhe581KHcMCXNg17kKomnOBtQga9XILvQiTRJGeGXmnKVb+YIhSuAKa3Q EhonxrjSp9G2vYssKTYIB67x6s9uOOdqvzNrRqhEuq8zk0HK84cnv908/5R5OOPsuf4b pD9V4wYq6ZNPdpYbaTFyZtK0aMzJjnxq4oRoTL7LlLpcfo9PENyHF5mmawf2BEz8lYeK LW9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nZxNdhhX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f17-20020a0564021e9100b00456e33b69e1si35181618edf.347.2022.10.24.05.20.37; Mon, 24 Oct 2022 05:21:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nZxNdhhX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233150AbiJXMQr (ORCPT + 99 others); Mon, 24 Oct 2022 08:16:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50576 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233385AbiJXMO7 (ORCPT ); Mon, 24 Oct 2022 08:14:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 089993055D; Mon, 24 Oct 2022 04:55:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1EC52612E9; Mon, 24 Oct 2022 11:55:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2EE60C433D7; Mon, 24 Oct 2022 11:55:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666612531; bh=ruyn6ny/iz6Zqxp+/ivNz+r7BDWMhMcf5ChJDxysrYo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nZxNdhhXWGFuuj00OvT3WfcMRFq7sFDEHyGujjQTb/Q4YYJVSR/AxlRo7vr806CZZ tDHjRccWHaFlchA2LpEZEJ1YhPYh/hGdSMjp8wED89ZIobRk3ts1NAFmu5g/cnLpTa VRSAjZQtECdaIPT6/f7a2+xbAvdf0Ne6khD1CnAY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Saurav Kashyap , Wende Tan , Letu Ren , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 4.19 009/229] scsi: qedf: Fix a UAF bug in __qedf_probe() Date: Mon, 24 Oct 2022 13:28:48 +0200 Message-Id: <20221024112959.416076778@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024112959.085534368@linuxfoundation.org> References: <20221024112959.085534368@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747571507619692609?= X-GMAIL-MSGID: =?utf-8?q?1747571507619692609?= From: Letu Ren [ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ] In __qedf_probe(), if qedf->cdev is NULL which means qed_ops->common->probe() failed, then the program will goto label err1, and scsi_host_put() will free lport->host pointer. Because the memory qedf points to is allocated by libfc_host_alloc(), it will be freed by scsi_host_put(). However, the if statement below label err0 only checks whether qedf is NULL but doesn't check whether the memory has been freed. So a UAF bug can occur. There are two ways to reach the statements below err0. The first one is described as before, "qedf" should be set to NULL. The second one is goto "err0" directly. In the latter scenario qedf hasn't been changed and it has the initial value NULL. As a result the if statement is not reachable in any situation. The KASAN logs are as follows: [ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] [ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 2.312969] Call Trace: [ 2.312969] dump_stack_lvl+0x59/0x7b [ 2.312969] print_address_description+0x7c/0x3b0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] __kasan_report+0x160/0x1c0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] kasan_report+0x4b/0x70 [ 2.312969] ? kobject_put+0x25d/0x290 [ 2.312969] kasan_check_range+0x2ca/0x310 [ 2.312969] __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 [ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 [ 2.312969] ? rpm_resume+0xa5c/0x16e0 [ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 [ 2.312969] local_pci_probe+0x13c/0x1f0 [ 2.312969] pci_device_probe+0x37e/0x6c0 Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com Reported-by: Zheyu Ma Acked-by: Saurav Kashyap Co-developed-by: Wende Tan Signed-off-by: Wende Tan Signed-off-by: Letu Ren Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/qedf/qedf_main.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index b253523217b8..01e27285b26b 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3345,11 +3345,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) err1: scsi_host_put(lport->host); err0: - if (qedf) { - QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); - - clear_bit(QEDF_PROBING, &qedf->flags); - } return rc; }