cve/published/2024/CVE-2024-46842.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46842: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

 The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the
 routine unconditionally frees submitted mailbox commands regardless of
 return status.  The issue is that for MBX_TIMEOUT cases, when firmware
 returns SFP information at a later time, that same mailbox memory region
 references previously freed memory in its cmpl routine.

 Fix by adding checks for the MBX_TIMEOUT return code.  During mailbox
 resource cleanup, check the mbox flag to make sure that the wait did not
 timeout.  If the MBOX_WAKE flag is not set, then do not free the resources
 because it will be freed when firmware completes the mailbox at a later
 time in its cmpl routine.

 Also, increase the timeout from 30 to 60 seconds to accommodate boot
 scripts requiring longer timeouts.

 The Linux kernel CVE team has assigned CVE-2024-46842 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.10.10 with commit bba47fe3b038cca3d3ebd799665ce69d6d273b58
 	Fixed in 6.11 with commit ede596b1434b57c0b3fd5c02b326efe5c54f6e48

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46842
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/lpfc/lpfc_els.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bba47fe3b038cca3d3ebd799665ce69d6d273b58
 	https://git.kernel.org/stable/c/ede596b1434b57c0b3fd5c02b326efe5c54f6e48
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46842: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

	The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the
	routine unconditionally frees submitted mailbox commands regardless of
	return status. The issue is that for MBX_TIMEOUT cases, when firmware
	returns SFP information at a later time, that same mailbox memory region
	references previously freed memory in its cmpl routine.

	Fix by adding checks for the MBX_TIMEOUT return code. During mailbox
	resource cleanup, check the mbox flag to make sure that the wait did not
	timeout. If the MBOX_WAKE flag is not set, then do not free the resources
	because it will be freed when firmware completes the mailbox at a later
	time in its cmpl routine.

	Also, increase the timeout from 30 to 60 seconds to accommodate boot
	scripts requiring longer timeouts.

	The Linux kernel CVE team has assigned CVE-2024-46842 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.10.10 with commit bba47fe3b038cca3d3ebd799665ce69d6d273b58
	Fixed in 6.11 with commit ede596b1434b57c0b3fd5c02b326efe5c54f6e48

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46842
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/lpfc/lpfc_els.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bba47fe3b038cca3d3ebd799665ce69d6d273b58
	https://git.kernel.org/stable/c/ede596b1434b57c0b3fd5c02b326efe5c54f6e48