A new vulnerability, tracked as CVE-2021-46963, has been discovered and resolved in the Linux kernel. The issue lies in the SCSI driver (qla2xxx) and has the potential to cause a system crash. This article discusses the details of this vulnerability, including the affected code snippet, the bug fix, original references, and the exploit details.

The issue lies in the qla2xxx_mqueuecommand() function in the qla2xxx SCSI driver

RIP: 001:kmem_cache_free+xfa/x1b
Call Trace:
   qla2xxx_mqueuecommand+x2b5/x2c [qla2xxx]
   scsi_queue_rq+x5e2/xa40
   __blk_mq_try_issue_directly+x128/x1d
   blk_mq_request_issue_directly+x4e/xb

Exploit Details

The system crash happens due to an incorrect call to free the 'srb' variable in the qla2xxx_mqueuecommand() function. The 'srb' variable is now allocated by upper layers in the kernel, but the qla2xxx_mqueuecommand() function still erroneously attempts to free the memory, leading to a crash. The vulnerability has been flagged by the Smatch static analysis tool as an unintended free operation.

Fix:
The patch for this vulnerability fixes the incorrect call to free the 'srb' variable in the qla2xxx_mqueuecommand() function. This patch eliminates the Smatch warning and prevents the system crash caused by the unintended free operation.

Original References

1. Linux Kernel Patch: https://lore.kernel.org/linux-scsi/20210919055524.362458-1-vk.matsuba@gmail.com/

2. Linux Kernel Mailing List discussion: https://lkml.org/lkml/2021/9/19/32
The Linux Kernel Mailing List archives provide a discussion around the issue, the patch, and the Smatch warning.

Conclusion

CVE-2021-46963 is a vulnerability in the Linux kernel that affects the qla2xxx SCSI driver, causing a system crash due to an incorrect call to free the 'srb' variable. Thanks to the patch provided, this vulnerability has been resolved, and the updated driver no longer poses a risk to the system stability.

Timeline

Published on: 02/27/2024 19:04:07 UTC
Last modified on: 02/28/2024 14:06:45 UTC