Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp377598rwi; Mon, 10 Oct 2022 01:26:55 -0700 (PDT) X-Google-Smtp-Source: AMsMyM59zm00lRNWdNl+lZxcOanI8CRzkVImRAsT1VQ1Qw7jO5cHmhZ3r8BqFlxK480k2Vm42JbM X-Received: by 2002:a17:90a:6441:b0:203:6aa1:56f8 with SMTP id y1-20020a17090a644100b002036aa156f8mr29480412pjm.25.1665390415728; Mon, 10 Oct 2022 01:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665390415; cv=none; d=google.com; s=arc-20160816; b=XimT0IeNVIMv7CcZRyIIjYz6OFTw+zHBmmy3MGfqpsSe/2EXOmaIX5En05jgAhaAsK SLm+bfB3CgFPK87c1PAKyclNl4CsiFcnAoQGN0XcmD0yLvyBy1WZRQYD9/AfY0SyXFE3 inu2M+dXiHLxU0T9DW9bLQo2//m0WCJh7B4kR38IUUeWDC7vGIVU8XuFswDznFOztY4+ BL7qV/G2OvyTQNLhlnLWJlcAkBJoRz12ti0L1BifmA5asKmSYNISeNIpbK6OTnv63WdI TLVrF+iLGVjnZNfXs6OMZVyobqfJvay924KFqjdPk8wx3LSnG3LN72ef4SQDWjb8s01w QFqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4gYya54BiutJhCVtiX8dyKG8ig7DVc/yNmHBYHEtz8s=; b=uy1PYnFQqYGN2TCh4TBWp0ZEbaNllccOYUQj8dC0/mcS9pEI9Sm0y9NKtshB0Yooyp ME23+3+k35HExpi6Pg4piJmgD1rU01EkYoqjl2cguVDHgvv3W+YQ3P534GiE9h1Y9Lz8 ROsF1pSYVqOVAcHOy2rzGubSJGVS4Jcyh9IO/OBvCBTghNSLQOgECTPVT6zoBAGYugy1 0hQuvBAYLLX2gB5/5bRo3uDVZhmIsOlyFCB/WRgQR2l51uqhibO6bP0uVewQLZ4iKtI7 nRtV812vOWO/oweE8Iur+TRAWHrKwYwTw+nz29WIC25xVxKmxMlFO433yHiVquT31cek 3qkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FruHpnvt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c83-20020a621c56000000b0055fdb74973esi9572971pfc.140.2022.10.10.01.26.44; Mon, 10 Oct 2022 01:26:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FruHpnvt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231753AbiJJHJN (ORCPT + 99 others); Mon, 10 Oct 2022 03:09:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231548AbiJJHI0 (ORCPT ); Mon, 10 Oct 2022 03:08:26 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6DE8A58DDF; Mon, 10 Oct 2022 00:05:50 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 28518B80E4D; Mon, 10 Oct 2022 07:05:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 95798C433D6; Mon, 10 Oct 2022 07:05:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665385547; bh=EyS2H66dvolNP6xiUcKq1qUgivYU/HqvLxRNpK5DOg0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FruHpnvtC3FsrqY2+GXksG+fPdZwrQdmH97XBEWwlNk1/9PMqNnNRftWlhSd+SBAi of3uttTRWzp0YXdaVn6Fvw0PnP47Fojwxh2CHCjlb53W3U/WNvQuo9oaPUUmMCt13V DqHuxvMISiH1odKQBCyuB+oZK7EoLCvH8Fup3Axw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Saurav Kashyap , Wende Tan , Letu Ren , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.19 19/48] scsi: qedf: Fix a UAF bug in __qedf_probe() Date: Mon, 10 Oct 2022 09:05:17 +0200 Message-Id: <20221010070334.207130765@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221010070333.676316214@linuxfoundation.org> References: <20221010070333.676316214@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Letu Ren [ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ] In __qedf_probe(), if qedf->cdev is NULL which means qed_ops->common->probe() failed, then the program will goto label err1, and scsi_host_put() will free lport->host pointer. Because the memory qedf points to is allocated by libfc_host_alloc(), it will be freed by scsi_host_put(). However, the if statement below label err0 only checks whether qedf is NULL but doesn't check whether the memory has been freed. So a UAF bug can occur. There are two ways to reach the statements below err0. The first one is described as before, "qedf" should be set to NULL. The second one is goto "err0" directly. In the latter scenario qedf hasn't been changed and it has the initial value NULL. As a result the if statement is not reachable in any situation. The KASAN logs are as follows: [ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] [ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 2.312969] Call Trace: [ 2.312969] dump_stack_lvl+0x59/0x7b [ 2.312969] print_address_description+0x7c/0x3b0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] __kasan_report+0x160/0x1c0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] kasan_report+0x4b/0x70 [ 2.312969] ? kobject_put+0x25d/0x290 [ 2.312969] kasan_check_range+0x2ca/0x310 [ 2.312969] __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 [ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 [ 2.312969] ? rpm_resume+0xa5c/0x16e0 [ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 [ 2.312969] local_pci_probe+0x13c/0x1f0 [ 2.312969] pci_device_probe+0x37e/0x6c0 Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com Reported-by: Zheyu Ma Acked-by: Saurav Kashyap Co-developed-by: Wende Tan Signed-off-by: Wende Tan Signed-off-by: Letu Ren Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/qedf/qedf_main.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index 3d6b137314f3..bbc4d5890ae6 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3686,11 +3686,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) err1: scsi_host_put(lport->host); err0: - if (qedf) { - QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); - - clear_bit(QEDF_PROBING, &qedf->flags); - } return rc; } -- 2.35.1