CVE-2024-26935

scsi: core: Fix unremoved procfs host directory regression

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix unremoved procfs host directory regression

Commit fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name}
directory earlier") fixed a bug related to modules loading/unloading, by
adding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led
to a potential duplicate call to the hostdir_rm() routine, since it's also
called from scsi_host_dev_release(). That triggered a regression report,
which was then fixed by commit be03df3d4bfe ("scsi: core: Fix a procfs host
directory removal regression"). The fix just dropped the hostdir_rm() call
from dev_release().

But it happens that this proc directory is created on scsi_host_alloc(),
and that function "pairs" with scsi_host_dev_release(), while
scsi_remove_host() pairs with scsi_add_host(). In other words, it seems the
reason for removing the proc directory on dev_release() was meant to cover
cases in which a SCSI host structure was allocated, but the call to
scsi_add_host() didn't happen. And that pattern happens to exist in some
error paths, for example.

Syzkaller causes that by using USB raw gadget device, error'ing on
usb-storage driver, at usb_stor_probe2(). By checking that path, we can see
that the BadDevice label leads to a scsi_host_put() after a SCSI host
allocation, but there's no call to scsi_add_host() in such path. That leads
to messages like this in dmesg (and a leak of the SCSI host proc
structure):

usb-storage 4-1:87.51: USB Mass Storage device detected
proc_dir_entry 'scsi/usb-storage' already registered
WARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376

The proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),
but guard that with the state check for SHOST_CREATED; there is even a
comment in scsi_host_dev_release() detailing that: such conditional is
meant for cases where the SCSI host was allocated but there was no calls to
{add,remove}_host(), like the usb-storage case.

This is what we propose here and with that, the error path of usb-storage
does not trigger the warning anymore.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: corrige la regresión del directorio del host procfs no eliminado. el commit fc663711b944 ("scsi: core: elimina el directorio /proc/scsi/${proc_name} anteriormente") corrigió un error relacionado con carga/descarga de módulos, agregando una llamada a scsi_proc_hostdir_rm() en scsi_remove_host(). Pero eso llevó a una posible llamada duplicada a la rutina hostdir_rm(), ya que también se llama desde scsi_host_dev_release(). Eso desencadenó un informe de regresión, que luego se solucionó mediante el commit be03df3d4bfe ("scsi: core: Fix a procfs host directorio de eliminación de regresión"). La solución simplemente eliminó la llamada hostdir_rm() desde dev_release(). Pero sucede que este directorio proc se crea en scsi_host_alloc(), y esa función se "empareja" con scsi_host_dev_release(), mientras que scsi_remove_host() se empareja con scsi_add_host(). En otras palabras, parece que la razón para eliminar el directorio proc en dev_release() fue para cubrir casos en los que se asignó una estructura de host SCSI, pero la llamada a scsi_add_host() no ocurrió. Y ese patrón existe en algunas rutas de error, por ejemplo. Syzkaller provoca que, al utilizar un dispositivo USB sin formato, se produzca un error en el controlador de almacenamiento USB, en usb_stor_probe2(). Al verificar esa ruta, podemos ver que la etiqueta BadDevice conduce a scsi_host_put() después de una asignación de host SCSI, pero no hay ninguna llamada a scsi_add_host() en dicha ruta. Eso lleva a mensajes como este en dmesg (y una fuga de la estructura del proceso del host SCSI): usb-storage 4-1:87.51: Dispositivo de almacenamiento masivo USB detectado proc_dir_entry 'scsi/usb-storage' ya registrado ADVERTENCIA: CPU: 1 PID : 3519 en fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376 La solución adecuada parece seguir llamando a scsi_proc_hostdir_rm() en dev_release(), pero guárdela con la verificación de estado para SHOST_CREATED ; incluso hay un comentario en scsi_host_dev_release() que detalla que: dicho condicional está destinado a casos en los que se asignó el host SCSI pero no hubo llamadas a {add,remove}_host(), como el caso del almacenamiento USB. Esto es lo que proponemos aquí y con eso, la ruta de error del almacenamiento USB ya no activa la advertencia.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (15)

URL	Tag	Source
https://git.kernel.org/stable/c/88c3d3bb6469cea929ac68fd326bdcbefcdfdd83	Vuln. Introduced
https://git.kernel.org/stable/c/68c665bb185037e7eb66fb792c61da9d7151e99c	Vuln. Introduced
https://git.kernel.org/stable/c/2a764d55e938743efa7c2cba7305633bcf227f09	Vuln. Introduced
https://git.kernel.org/stable/c/7e0ae8667fcdd99d1756922e1140cac75f5fa279	Vuln. Introduced
https://git.kernel.org/stable/c/be03df3d4bfe7e8866d4aa43d62e648ffe884f5f	Vuln. Introduced
https://git.kernel.org/stable/c/73f030d4ef6d1ad17f824a0a2eb637ef7a9c7d51	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac	2024-04-13
https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1	2024-04-13
https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee	2024-04-10
https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889	2024-04-03
https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c	2024-04-03
https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320	2024-04-03
https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7	2024-04-03
https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84	2024-03-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.238 < 5.4.274 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.238 < 5.4.274"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.176 < 5.10.215 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.176 < 5.10.215"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.104 < 5.15.154 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.104 < 5.15.154"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.21 < 6.1.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.21 < 6.1.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.6.24 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.24"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.7.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.7.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.8.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.8.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2.8 Search vendor "Linux" for product "Linux Kernel" and version "6.2.8"		en		Affected