In the Linux Kernel, a recent vulnerability has been discovered and resolved which relates to a system crash due to a command failing to flush back to the SCSI layer. The vulnerability was discovered in the SCSI command-layer and was due to a null pointer dereference that could be triggered by a cable pull. This vulnerability has received the identifier CVE-2024-26931. The fix involves proper command flushing within the SCSI layer during a session teardown and a check to avoid any null pointer access.

Details

The issue was first spotted in the Linux Kernel 4.18., where a system crash was encountered while running under memory stress conditions. The crash log showed a BUG message along with the call trace for accessing a null pointer. Here is a relevant snippet from the crash log:

BUG: unable to handle kernel NULL pointer dereference at 000000000000000
...
qla2xxx [000:12:00.1]-f084:3: qlt_free_session_done: se_sess 000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id x02 s_id 01:02:00 logout 1 keep  els_logo 
...

The root cause of the problem turned out to be the driver's inability to allocate an SRB (SCSI Request Block) that could carry out the error recovery process of a cable pull under memory stress conditions. Subsequently, the failure to flush led to the upper layer starting modifications to the scsi_cmnd. Later, when the system released some memory, a subsequent cable pull triggered another command flush, which then led to accessing a null pointer when trying to perform DMA unmap of the SGL (Scatter-Gather List).

To fix the vulnerability, the developer added a check to ensure that commands are flushed back to the SCSI layer during a session teardown, thus preventing any null pointer access. The code snippet with the changes looks like this:

...
/* Add check to make sure commands are flushed on session teardown */
if (commands_flushed)
    ... /* Flush commands back to SCSI layer */
...

References

1. Original patch: scsi: qla2xxx: Fix command flush on cable pull
2. Additional details on the issue: Linux Kernel Mailing List

Conclusion

The Linux kernel vulnerability identified as CVE-2024-26931 in the SCSI command layer has been resolved, thereby eliminating the risk of security exploits taking advantage of this bug. Security administrators should update their Linux kernel versions to incorporate this patch to ensure their systems are protected from this vulnerability. Proper flushing of commands back to the SCSI layer is essential, and the latest fix provides this functionality while avoiding any null pointer access.

Timeline

Published on: 05/01/2024 06:15:07 UTC
Last modified on: 06/27/2024 13:15:57 UTC