cve/published/2024/CVE-2024-50153.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50153: scsi: target: core: Fix null-ptr-deref in target_alloc_device()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: target: core: Fix null-ptr-deref in target_alloc_device()

 There is a null-ptr-deref issue reported by KASAN:

 BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
 ...
  kasan_report+0xb9/0xf0
  target_alloc_device+0xbc4/0xbe0 [target_core_mod]
  core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
  target_core_init_configfs+0x205/0x420 [target_core_mod]
  do_one_initcall+0xdd/0x4e0
 ...
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 In target_alloc_device(), if allocing memory for dev queues fails, then
 dev will be freed by dev->transport->free_device(), but dev->transport
 is not initialized at that time, which will lead to a null pointer
 reference problem.

 Fixing this bug by freeing dev with hba->backend->ops->free_device().

 The Linux kernel CVE team has assigned CVE-2024-50153 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.180 with commit 008b936bbde3e87a611b3828a0d5d2a4f99026a0 and fixed in 5.10.229 with commit 8c1e6717f60d31f8af3937c23c4f1498529584e1
 	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 5.15.170 with commit 39e02fa90323243187c91bb3e8f2f5f6a9aacfc7
 	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.1.115 with commit 895ab729425ef9bf3b6d2f8d0853abe64896f314
 	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.6.59 with commit b80e9bc85bd9af378e7eac83e15dd129557bbdb6
 	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.11.6 with commit 14a6a2adb440e4ae97bee73b2360946bd033dadd
 	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.12 with commit fca6caeb4a61d240f031914413fcc69534f6dc03

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50153
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/target/target_core_device.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8c1e6717f60d31f8af3937c23c4f1498529584e1
 	https://git.kernel.org/stable/c/39e02fa90323243187c91bb3e8f2f5f6a9aacfc7
 	https://git.kernel.org/stable/c/895ab729425ef9bf3b6d2f8d0853abe64896f314
 	https://git.kernel.org/stable/c/b80e9bc85bd9af378e7eac83e15dd129557bbdb6
 	https://git.kernel.org/stable/c/14a6a2adb440e4ae97bee73b2360946bd033dadd
 	https://git.kernel.org/stable/c/fca6caeb4a61d240f031914413fcc69534f6dc03
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50153: scsi: target: core: Fix null-ptr-deref in target_alloc_device()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: target: core: Fix null-ptr-deref in target_alloc_device()

	There is a null-ptr-deref issue reported by KASAN:

	BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod]
	...
	kasan_report+0xb9/0xf0
	target_alloc_device+0xbc4/0xbe0 [target_core_mod]
	core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod]
	target_core_init_configfs+0x205/0x420 [target_core_mod]
	do_one_initcall+0xdd/0x4e0
	...
	entry_SYSCALL_64_after_hwframe+0x76/0x7e

	In target_alloc_device(), if allocing memory for dev queues fails, then
	dev will be freed by dev->transport->free_device(), but dev->transport
	is not initialized at that time, which will lead to a null pointer
	reference problem.

	Fixing this bug by freeing dev with hba->backend->ops->free_device().

	The Linux kernel CVE team has assigned CVE-2024-50153 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.180 with commit 008b936bbde3e87a611b3828a0d5d2a4f99026a0 and fixed in 5.10.229 with commit 8c1e6717f60d31f8af3937c23c4f1498529584e1
	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 5.15.170 with commit 39e02fa90323243187c91bb3e8f2f5f6a9aacfc7
	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.1.115 with commit 895ab729425ef9bf3b6d2f8d0853abe64896f314
	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.6.59 with commit b80e9bc85bd9af378e7eac83e15dd129557bbdb6
	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.11.6 with commit 14a6a2adb440e4ae97bee73b2360946bd033dadd
	Issue introduced in 5.11 with commit 1526d9f10c6184031e42afad0adbdde1213e8ad1 and fixed in 6.12 with commit fca6caeb4a61d240f031914413fcc69534f6dc03

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50153
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/target/target_core_device.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8c1e6717f60d31f8af3937c23c4f1498529584e1
	https://git.kernel.org/stable/c/39e02fa90323243187c91bb3e8f2f5f6a9aacfc7
	https://git.kernel.org/stable/c/895ab729425ef9bf3b6d2f8d0853abe64896f314
	https://git.kernel.org/stable/c/b80e9bc85bd9af378e7eac83e15dd129557bbdb6
	https://git.kernel.org/stable/c/14a6a2adb440e4ae97bee73b2360946bd033dadd
	https://git.kernel.org/stable/c/fca6caeb4a61d240f031914413fcc69534f6dc03