Re: [PATCH] CVE-2024-26929: Add vulnerable commit information

[Harshit Mogalapalli]

Hi Greg,

+CC qla2xxx experts

On 03/01/25 12:22, Greg KH wrote:
> On Thu, Jan 02, 2025 at 12:48:26PM -0800, Harshit Mogalapalli wrote:
> > This CVE fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on
> > chip reset") so add that information in vulnerable commit.
> >
> > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
> > ---
> >   cve/published/2024/CVE-2024-26929.vulnerable | 1 +
> >   1 file changed, 1 insertion(+)
> >   create mode 100644 cve/published/2024/CVE-2024-26929.vulnerable
> >
> > diff --git a/cve/published/2024/CVE-2024-26929.vulnerable b/cve/published/2024/CVE-2024-26929.vulnerable
> > new file mode 100644
> > index 000000000000..b946d6f2786b
> > --- /dev/null
> > +++ b/cve/published/2024/CVE-2024-26929.vulnerable
> > @@ -0,0 +1 @@
> > +4895009c4bb72f71f2e682f1e7d2c2d96e482087
> > --
> > 2.46.0
>
> Ok, by doing this it means this whole CVE needs to be rejected as the
> vulnerable commit never shows up in a a release on its own.  Are you
> sure about this?  If so, let's just reject the CVE.

My reasoning is as follows:

The CVE fix commit: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of 
fcport") states,

""
 Remove one of the free calls and add check for valid fcport. Also use
 function qla2x00_free_fcport() instead of kfree().

@@ -2784,7 +2786,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int 
els_opcode,
            fcport->d_id.b.area, fcport->d_id.b.al_pa);

        wait_for_completion(&elsio->u.els_logo.comp);
-       qla2x00_free_fcport(fcport);

        /* ref: INIT */
        kref_put(&sp->cmd_kref, qla2x00_sp_release);

""

and the same function has this sp->free = qla2x00_els_dcmd_sp_free; so 
fcport is freed twice.

and this qla2xxx_free_fcport(fcport) in the success path is added by 
commit: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip 
reset") so I think this commit introduced the problem.

Thanks,
Harshit


> thanks,
>
> greg k-h