Re: [PATCH] CVE-2024-26929: Add vulnerable commit information

From: Greg KH
Date: Mon Jan 06 2025 - 11:25:13 EST

Next message: Mickaël Salaün: "Re: security/landlock/fs.c:480: warning: Function parameter or struct member '' not described in 'is_access_to_paths_allowed'"
Previous message: Anup Patel: "Re: [PATCH v2] irqchip/riscv-aplic: add support for hart indexes"
In reply to: Harshit Mogalapalli: "Re: [PATCH] CVE-2024-26929: Add vulnerable commit information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 03, 2025 at 01:53:19PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> +CC qla2xxx experts
>
> On 03/01/25 12:22, Greg KH wrote:
> > On Thu, Jan 02, 2025 at 12:48:26PM -0800, Harshit Mogalapalli wrote:
> > > This CVE fixes: 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on
> > > chip reset") so add that information in vulnerable commit.
> > >
> > > Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@xxxxxxxxxx>
> > > ---
> > > cve/published/2024/CVE-2024-26929.vulnerable | 1 +
> > > 1 file changed, 1 insertion(+)
> > > create mode 100644 cve/published/2024/CVE-2024-26929.vulnerable
> > >
> > > diff --git a/cve/published/2024/CVE-2024-26929.vulnerable b/cve/published/2024/CVE-2024-26929.vulnerable
> > > new file mode 100644
> > > index 000000000000..b946d6f2786b
> > > --- /dev/null
> > > +++ b/cve/published/2024/CVE-2024-26929.vulnerable
> > > @@ -0,0 +1 @@
> > > +4895009c4bb72f71f2e682f1e7d2c2d96e482087
> > > --
> > > 2.46.0
> > >
> > >
> >
> > Ok, by doing this it means this whole CVE needs to be rejected as the
> > vulnerable commit never shows up in a a release on its own. Are you
> > sure about this? If so, let's just reject the CVE.
> >
>
> My reasoning is as follows:
>
> The CVE fix commit: 82f522ae0d97 ("scsi: qla2xxx: Fix double free of
> fcport") states,
>
> ""
> Remove one of the free calls and add check for valid fcport. Also use
> function qla2x00_free_fcport() instead of kfree().
>
> @@ -2784,7 +2786,6 @@ qla24xx_els_dcmd_iocb(scsi_qla_host_t *vha, int
> els_opcode,
> fcport->d_id.b.area, fcport->d_id.b.al_pa);
>
> wait_for_completion(&elsio->u.els_logo.comp);
> - qla2x00_free_fcport(fcport);
>
> /* ref: INIT */
> kref_put(&sp->cmd_kref, qla2x00_sp_release);
>
> ""
>
> and the same function has this sp->free = qla2x00_els_dcmd_sp_free; so
> fcport is freed twice.
>
> and this qla2xxx_free_fcport(fcport) in the success path is added by commit:
> 4895009c4bb7 ("scsi: qla2xxx: Prevent command send on chip reset") so I
> think this commit introduced the problem.

Thanks for this, I've now rejected the cve entirely.

greg k-h

Next message: Mickaël Salaün: "Re: security/landlock/fs.c:480: warning: Function parameter or struct member '' not described in 'is_access_to_paths_allowed'"
Previous message: Anup Patel: "Re: [PATCH v2] irqchip/riscv-aplic: add support for hart indexes"
In reply to: Harshit Mogalapalli: "Re: [PATCH] CVE-2024-26929: Add vulnerable commit information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]