[BUG] scsi: megaraid_sas: possible use-after-free caused by bad error handling in megasas_probe_one()

* [BUG] scsi: megaraid_sas: possible use-after-free caused by bad error handling in megasas_probe_one()
@ 2022-09-06  6:33 Zixuan Fu
  0 siblings, 0 replies; only message in thread
From: Zixuan Fu @ 2022-09-06  6:33 UTC (permalink / raw)
  To: kashyap.desai, sumit.saxena, shivasharan.srikanteshwara, jejb,
	martin.petersen
  Cc: megaraidlinux.pdl, linux-scsi, linux-kernel, baijiaju1990, TOTE Robot

Hello,

Our fault injection tool finds a possible use-after-free in the 
megaraid_sas driver in Linux 5.10.0:

In the file drivers/scsi/megaraid/megaraid_sas_base.c:
In megasas_io_attach(), the call to scsi_add_host() may fail: 
6814:	if (scsi_add_host(host, &instance->pdev->dev)) {
            ...
6818:		return -ENODEV;
6819:	}

This error is then propagated to its caller megasas_probe_one().
7414:	if (megasas_io_attach(instance))
7415:   	goto fail_io_attach;

In error handling code of megasas_probe_one(), it calls scsi_host_put():
7457:   scsi_host_put(host);

The function scsi_host_put() calls scsi_host_dev_release() to free `host`,
which contains a variable `instance`.

But megasas_probe_one() calls megasas_init_fw() before:
7372: 	if (megasas_init_fw(instance))

In megasas_init_fw(), it starts a timer:
6369:   megasas_start_timer(instance);

And megasas_probe_one() does nothing about it in error handling code. When
the timer expires, it accesses `instance`, causing a use-after-free bug.

I am not quite sure how to fix this possible bug. Any feedback would be
appreciated, thanks!

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>

Best wishes,
Zixuan Fu

^ permalink raw reply	[flat|nested] only message in thread