cve/published/2021/CVE-2021-47503.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47503: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

 Calling scsi_remove_host() before scsi_add_host() results in a crash:

  BUG: kernel NULL pointer dereference, address: 0000000000000108
  RIP: 0010:device_del+0x63/0x440
  Call Trace:
   device_unregister+0x17/0x60
   scsi_remove_host+0xee/0x2a0
   pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
   local_pci_probe+0x3f/0x90

 We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host()
 has not been called yet at that point in time.

 Function call tree:

   pm8001_pci_probe()
   |
   `- pm8001_pci_alloc()
   |  |
   |  `- pm8001_alloc()
   |     |
   |     `- scsi_remove_host()
   |
   `- scsi_add_host()

 The Linux kernel CVE team has assigned CVE-2021-47503 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.10.85 with commit 1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add
 	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.15.8 with commit f8dccc1bdea7e21b5ec06c957aef8831c772661c
 	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.16 with commit 653926205741add87a6cf452e21950eebc6ac10b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47503
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/pm8001/pm8001_init.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add
 	https://git.kernel.org/stable/c/f8dccc1bdea7e21b5ec06c957aef8831c772661c
 	https://git.kernel.org/stable/c/653926205741add87a6cf452e21950eebc6ac10b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47503: scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: pm80xx: Do not call scsi_remove_host() in pm8001_alloc()

	Calling scsi_remove_host() before scsi_add_host() results in a crash:

	BUG: kernel NULL pointer dereference, address: 0000000000000108
	RIP: 0010:device_del+0x63/0x440
	Call Trace:
	device_unregister+0x17/0x60
	scsi_remove_host+0xee/0x2a0
	pm8001_pci_probe+0x6ef/0x1b90 [pm80xx]
	local_pci_probe+0x3f/0x90

	We cannot call scsi_remove_host() in pm8001_alloc() because scsi_add_host()
	has not been called yet at that point in time.

	Function call tree:

	pm8001_pci_probe()
	\|
	`- pm8001_pci_alloc()
	\| \|
	\| `- pm8001_alloc()
	\| \|
	\| `- scsi_remove_host()
	\|
	`- scsi_add_host()

	The Linux kernel CVE team has assigned CVE-2021-47503 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.10.85 with commit 1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add
	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.15.8 with commit f8dccc1bdea7e21b5ec06c957aef8831c772661c
	Issue introduced in 5.10 with commit 05c6c029a44d9f43715577e33e95eba87f44d285 and fixed in 5.16 with commit 653926205741add87a6cf452e21950eebc6ac10b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47503
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/pm8001/pm8001_init.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1e434d2687e8bc0b3cdc9dd093c0e9047c0b4add
	https://git.kernel.org/stable/c/f8dccc1bdea7e21b5ec06c957aef8831c772661c
	https://git.kernel.org/stable/c/653926205741add87a6cf452e21950eebc6ac10b