linux-cve-announce.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* CVE-2021-47198: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine
@ 2024-04-10 18:57 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-04-10 18:57 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine

An error is detected with the following report when unloading the driver:
  "KASAN: use-after-free in lpfc_unreg_rpi+0x1b1b"

The NLP_REG_LOGIN_SEND nlp_flag is set in lpfc_reg_fab_ctrl_node(), but the
flag is not cleared upon completion of the login.

This allows a second call to lpfc_unreg_rpi() to proceed with nlp_rpi set
to LPFC_RPI_ALLOW_ERROR.  This results in a use after free access when used
as an rpi_ids array index.

Fix by clearing the NLP_REG_LOGIN_SEND nlp_flag in
lpfc_mbx_cmpl_fc_reg_login().

The Linux kernel CVE team has assigned CVE-2021-47198 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.15.5 with commit dbebf865b323
	Fixed in 5.16 with commit 79b20beccea3

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47198
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/scsi/lpfc/lpfc_hbadisc.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/dbebf865b3239595c1d4dba063b122862583b52a
	https://git.kernel.org/stable/c/79b20beccea3a3938a8500acef4e6b9d7c66142f

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2024-04-10 18:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-10 18:57 CVE-2021-47198: scsi: lpfc: Fix use-after-free in lpfc_unreg_rpi() routine Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).