Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1304594rwi; Thu, 13 Oct 2022 11:45:44 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5VhHbcB0y0Qi7Ju3APwmKZAr/LrlURlP3hoNTmzJRZh5XQq7FInyW4yHU4+ZWUZKRTz+cR X-Received: by 2002:a05:6a02:202:b0:42b:d711:f27c with SMTP id bh2-20020a056a02020200b0042bd711f27cmr1118394pgb.246.1665686744094; Thu, 13 Oct 2022 11:45:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665686744; cv=none; d=google.com; s=arc-20160816; b=kcGpngG31vxADpBDGmeCdaNbhb/x/pGUFa7uS5r+CtPP/mdZDKJ1iNoPZY2x0f7zbq bSZQIuFTU/pDzlFYSO67tZ+vtLxJ8UVIz38rpbl5b5s0ZTooCC5AgxOsfIICl6uwZrE4 MvFFqx/7WVYIbstjbYDQj7h2vwMWMkyPZfahviaILC3kkhj90TWaOSSNry+FhQRL046w CTG29dTzoPcBg6GwXuW7E9EthNujIySxop2NiKq13f544dyreOa+Y5ZcQGfFf9Nc6vUQ Z0MUe9K9tPDivw/ctyFR2gugzOMt0NnKbOvXN8uVu+akblKH0TganWhCzhRZfc9fyNhd UYzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kTG3mTCY1FEC+SE2DpCuP6HI3Fi3ex2cTgG1YnKfAAw=; b=Udgdz584ku/YD5QXCxZ9larbrkakuJCm41P3RvQEi8QFHGgWMa8b2EJJ61OB+lYIzH 6X9n9tqt5D8qvv5a3vlEgIkvS8RXTS9yYqZk7IHFZbRi3QHZqvZibfdtu0fJ/+CWGTz1 EKYgsavT5Tip/UqG+9QKkt1EiwH5qRInYrXuRXsUKeEzjTPK95eY2NFg5wz6aR04B8rZ SUGeOSFv8R9m1fptIVPCMpSc8NFPLUZ8pdv7xJMcpcTP6PymZ+GEiFjr53IwvJh/U/CN PhqmYkN2zuRA2I7Bw9PMyn8KYVCfRCeq0fT28YljIzcEw/++wZIUioFbwaiyVvjq3vPz JFqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O6ijnK+N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mu10-20020a17090b388a00b001fdcbf875e7si4823007pjb.35.2022.10.13.11.45.32; Thu, 13 Oct 2022 11:45:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=O6ijnK+N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229922AbiJMRy1 (ORCPT + 99 others); Thu, 13 Oct 2022 13:54:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229906AbiJMRxw (ORCPT ); Thu, 13 Oct 2022 13:53:52 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6456A153827; Thu, 13 Oct 2022 10:53:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BC366B82023; Thu, 13 Oct 2022 17:53:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 31F70C433D7; Thu, 13 Oct 2022 17:53:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665683593; bh=3z4xjd6rC4Y+qNEmVpMFVeGkTQLZ9ph+XAsHLmwze58=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O6ijnK+NrENLazrotZ+H0ptxrsmSL9K6CxpXLXvCcp4FvT7ap3tvWqKJ8C3vR3/83 scI4Z9pbmYRU+TTzctnkZM55U9H2LSBeJTXsyhpE3Ks2cuf9krwrTCS3NtbrH5JQzL JvNmMq27txi+u1qXuqJ4JLvjap9QApHIFJx48sgw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Zheyu Ma , Saurav Kashyap , Wende Tan , Letu Ren , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.4 08/38] scsi: qedf: Fix a UAF bug in __qedf_probe() Date: Thu, 13 Oct 2022 19:52:09 +0200 Message-Id: <20221013175144.546603830@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221013175144.245431424@linuxfoundation.org> References: <20221013175144.245431424@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Letu Ren [ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ] In __qedf_probe(), if qedf->cdev is NULL which means qed_ops->common->probe() failed, then the program will goto label err1, and scsi_host_put() will free lport->host pointer. Because the memory qedf points to is allocated by libfc_host_alloc(), it will be freed by scsi_host_put(). However, the if statement below label err0 only checks whether qedf is NULL but doesn't check whether the memory has been freed. So a UAF bug can occur. There are two ways to reach the statements below err0. The first one is described as before, "qedf" should be set to NULL. The second one is goto "err0" directly. In the latter scenario qedf hasn't been changed and it has the initial value NULL. As a result the if statement is not reachable in any situation. The KASAN logs are as follows: [ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] [ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 2.312969] Call Trace: [ 2.312969] dump_stack_lvl+0x59/0x7b [ 2.312969] print_address_description+0x7c/0x3b0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] __kasan_report+0x160/0x1c0 [ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] kasan_report+0x4b/0x70 [ 2.312969] ? kobject_put+0x25d/0x290 [ 2.312969] kasan_check_range+0x2ca/0x310 [ 2.312969] __qedf_probe+0x5dcf/0x6bc0 [ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0 [ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120 [ 2.312969] ? rpm_resume+0xa5c/0x16e0 [ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160 [ 2.312969] local_pci_probe+0x13c/0x1f0 [ 2.312969] pci_device_probe+0x37e/0x6c0 Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@gmail.com Reported-by: Zheyu Ma Acked-by: Saurav Kashyap Co-developed-by: Wende Tan Signed-off-by: Wende Tan Signed-off-by: Letu Ren Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/qedf/qedf_main.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c index c95e04cc6424..f864ef059d29 100644 --- a/drivers/scsi/qedf/qedf_main.c +++ b/drivers/scsi/qedf/qedf_main.c @@ -3544,11 +3544,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode) err1: scsi_host_put(lport->host); err0: - if (qedf) { - QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n"); - - clear_bit(QEDF_PROBING, &qedf->flags); - } return rc; } -- 2.35.1