CVE-2024-53227

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

BUG: KASAN: slab-use-after-free in __lock_acquire+0x2aca/0x3a20
Read of size 8 at addr ffff8881082d80c8 by task modprobe/25303

Call Trace:
<TASK>
dump_stack_lvl+0x95/0xe0
print_report+0xcb/0x620
kasan_report+0xbd/0xf0
__lock_acquire+0x2aca/0x3a20
lock_acquire+0x19b/0x520
_raw_spin_lock+0x2b/0x40
attribute_container_unregister+0x30/0x160
fc_release_transport+0x19/0x90 [scsi_transport_fc]
bfad_im_module_exit+0x23/0x60 [bfa]
bfad_init+0xdb/0xff0 [bfa]
do_one_initcall+0xdc/0x550
do_init_module+0x22d/0x6b0
load_module+0x4e96/0x5ff0
init_module_from_file+0xcd/0x130
idempotent_init_module+0x330/0x620
__x64_sys_finit_module+0xb3/0x110
do_syscall_64+0xc1/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>

Allocated by task 25303:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
fc_attach_transport+0x4f/0x4740 [scsi_transport_fc]
bfad_im_module_init+0x17/0x80 [bfa]
bfad_init+0x23/0xff0 [bfa]
do_one_initcall+0xdc/0x550
do_init_module+0x22d/0x6b0
load_module+0x4e96/0x5ff0
init_module_from_file+0xcd/0x130
idempotent_init_module+0x330/0x620
__x64_sys_finit_module+0xb3/0x110
do_syscall_64+0xc1/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 25303:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x38/0x50
kfree+0x212/0x480
bfad_im_module_init+0x7e/0x80 [bfa]
bfad_init+0x23/0xff0 [bfa]
do_one_initcall+0xdc/0x550
do_init_module+0x22d/0x6b0
load_module+0x4e96/0x5ff0
init_module_from_file+0xcd/0x130
idempotent_init_module+0x330/0x620
__x64_sys_finit_module+0xb3/0x110
do_syscall_64+0xc1/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Above issue happens as follows:

bfad_init
error = bfad_im_module_init()
fc_release_transport(bfad_im_scsi_transport_template);
if (error)
goto ext;

ext:
bfad_im_module_exit();
fc_release_transport(bfad_im_scsi_transport_template);
--> Trigger double release

Don't call bfad_im_module_exit() if bfad_im_module_init() failed.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-11-19 CVE Reserved
2024-12-27 CVE Published
2024-12-27 CVE Updated
2024-12-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/7725ccfda59715ecf8f99e3b520a0b84cc2ea79e	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0ceac8012d3ddea3317f0d82934293d05feb8af1	2024-12-05
https://git.kernel.org/stable/c/3932c753f805a02e9364a4c58b590f21901f8490	2024-12-14
https://git.kernel.org/stable/c/ef2c2580189ea88a0dcaf56eb3a565763a900edb	2024-12-14
https://git.kernel.org/stable/c/e76181a5be90abcc3ed8a300bd13878aa214d022	2024-12-14
https://git.kernel.org/stable/c/8f5a97443b547b4c83f876f1d6a11df0f1fd4efb	2024-12-14
https://git.kernel.org/stable/c/c28409f851abd93b37969cac7498828ad533afd9	2024-12-09
https://git.kernel.org/stable/c/1ffdde30a90bf8efe8f270407f486706962b3292	2024-12-05
https://git.kernel.org/stable/c/a2b5035ab0e368e8d8a371e27fbc72f133c0bd40	2024-12-05
https://git.kernel.org/stable/c/178b8f38932d635e90f5f0e9af1986c6f4a89271	2024-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 4.19.325 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 4.19.325"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 5.4.287 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 5.4.287"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 5.10.231 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 5.10.231"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 5.15.174 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 5.15.174"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 6.1.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 6.1.120"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 6.6.64 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 6.6.64"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 6.11.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 6.11.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 6.12.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 6.12.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.32 < 6.13-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.32 < 6.13-rc1"		en		Affected