[PATCH AUTOSEL 4.19 5/8] scsi: qedf: Fix a UAF bug in __qedf_probe()

From: Sasha Levin
Date: Sun Oct 02 2022 - 19:05:11 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.4 4/9] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.19 4/8] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
In reply to: Sasha Levin: "[PATCH AUTOSEL 4.19 4/8] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 4.19 2/8] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Letu Ren <fantasquex@xxxxxxxxx>

[ Upstream commit fbfe96869b782364caebae0445763969ddb6ea67 ]

In __qedf_probe(), if qedf->cdev is NULL which means
qed_ops->common->probe() failed, then the program will goto label err1, and
scsi_host_put() will free lport->host pointer. Because the memory qedf
points to is allocated by libfc_host_alloc(), it will be freed by
scsi_host_put(). However, the if statement below label err0 only checks
whether qedf is NULL but doesn't check whether the memory has been freed.
So a UAF bug can occur.

There are two ways to reach the statements below err0. The first one is
described as before, "qedf" should be set to NULL. The second one is goto
"err0" directly. In the latter scenario qedf hasn't been changed and it has
the initial value NULL. As a result the if statement is not reachable in
any situation.

The KASAN logs are as follows:

[ 2.312969] BUG: KASAN: use-after-free in __qedf_probe+0x5dcf/0x6bc0
[ 2.312969]
[ 2.312969] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[ 2.312969] Call Trace:
[ 2.312969] dump_stack_lvl+0x59/0x7b
[ 2.312969] print_address_description+0x7c/0x3b0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] __kasan_report+0x160/0x1c0
[ 2.312969] ? __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] kasan_report+0x4b/0x70
[ 2.312969] ? kobject_put+0x25d/0x290
[ 2.312969] kasan_check_range+0x2ca/0x310
[ 2.312969] __qedf_probe+0x5dcf/0x6bc0
[ 2.312969] ? selinux_kernfs_init_security+0xdc/0x5f0
[ 2.312969] ? trace_rpm_return_int_rcuidle+0x18/0x120
[ 2.312969] ? rpm_resume+0xa5c/0x16e0
[ 2.312969] ? qedf_get_generic_tlv_data+0x160/0x160
[ 2.312969] local_pci_probe+0x13c/0x1f0
[ 2.312969] pci_device_probe+0x37e/0x6c0

Link: https://lore.kernel.org/r/20211112120641.16073-1-fantasquex@xxxxxxxxx
Reported-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
Acked-by: Saurav Kashyap <skashyap@xxxxxxxxxxx>
Co-developed-by: Wende Tan <twd2.me@xxxxxxxxx>
Signed-off-by: Wende Tan <twd2.me@xxxxxxxxx>
Signed-off-by: Letu Ren <fantasquex@xxxxxxxxx>
Signed-off-by: Martin K. Petersen <martin.petersen@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/scsi/qedf/qedf_main.c | 5 -----
1 file changed, 5 deletions(-)

diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
index b253523217b8..01e27285b26b 100644
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -3345,11 +3345,6 @@ static int __qedf_probe(struct pci_dev *pdev, int mode)
err1:
scsi_host_put(lport->host);
err0:
- if (qedf) {
- QEDF_INFO(&qedf->dbg_ctx, QEDF_LOG_DISC, "Probe done.\n");
-
- clear_bit(QEDF_PROBING, &qedf->flags);
- }
return rc;
}

--
2.35.1

Next message: Sasha Levin: "[PATCH AUTOSEL 5.4 4/9] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.19 4/8] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
In reply to: Sasha Levin: "[PATCH AUTOSEL 4.19 4/8] ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 4.19 2/8] dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]