CVE CyberSecurity Database News

CVE-2024-26929 - Double Free Vulnerability in Linux Kernel’s qla2xxx SCSI Driver (fcport) – Exploit Details and Fix

Poster -

A bug (CVE-2024-26929) in the Linux kernel's qla2xxx SCSI driver could crash your server or worse, allow exploitation via a double free of the fcport structure. This issue got officially patched, but if you’re running older kernels—especially on HPE ProLiant servers with Fibre Channel HBAs—you’re at risk. Here’s what happened, why it matters, and how to defend yourself.

Background: What is qla2xxx and Why Does It Matter?

The qla2xxx kernel module drives QLogic Fibre Channel Host Bus Adapters (HBAs). Fibre Channel is widely used in enterprise storage networking, so lots of servers rely on this.

In storage environments, events like login (PLOGI) and logout (LOGO) requests happen as part of the FC (Fibre Channel) protocol. The driver uses structures (fcport) to manage remote Fibre Channel ports.

If the kernel mishandles memory for these structures, it can run into trouble—like *double freeing* the same memory, which leads to crashes or potential exploits.

Root Cause: The Double Free

When a LOGO (logout) event happens (common in Fibre Channel), the driver code would *sometimes* try to free the same fcport structure twice. That’s bad.

Here's part of the crash dump from a server encountering this bug

-----------[ cut here ]-----------
kernel BUG at mm/slub.c:371!
invalid opcode: 000 [#1] SMP PTI
...
Call Trace:
 kfree+x238/x250
 qla2x00_els_dcmd_sp_free+x20/x230 [qla2xxx]
 qla2x00_issue_logo+x28c/x2a [qla2xxx]
...

Then qla2x00_els_dcmd_sp_free and qla2x00_issue_logo show up.

- SLUB_DEBUG kernel bug is triggered: this happens when freed memory is re-freed (“double free”).

The problematic code before the patch looked kinda like this (simplified)

// Vulnerable! fcport might get freed twice!
static void some_function(...) {
    ...
    kfree(fcport);
    ...
    kfree(fcport); // oops, double free!
}

This can cause the system to crash instantly, or, if an attacker can control the timing and memory arrangement, be a possible vector for privilege escalation.

Adding logic to check fcport is valid before freeing.

- Using the dedicated qla2x00_free_fcport() function (not raw kfree()), which safely handles cleanup.

Old code (buggy)

kfree(fcport);
...
kfree(fcport); // Second free - BOOM

Fixed code

if (fcport) {
    qla2x00_free_fcport(fcport); // Cleans up safely!
    fcport = NULL;               // Prevent further use (double free)
}

Commit Message

> Remove one of the free calls and add check for valid fcport.
> Also use function qla2x00_free_fcport() instead of kfree().

Reference:
See the official patch
(Look for “scsi: qla2xxx: Fix double free of fcport”).

What does this mean in practice?

- On affected kernels (e.g., RHEL 8: 4.18.-425.3.1.el8.x86_64), this bug can cause a kernel panic (crash), leading to denial of service.
- In some scenarios, it could be used to try a more sophisticated memory corruption attack. That means escalation to root might be possible in the right hands, depending on configuration and other factors.

You’ll see an error like

kernel BUG at mm/slub.c:371!
invalid opcode: 000 [#1] SMP PTI
...
Call Trace:
 kfree+x238/x250
...

While this crash can happen in the real world, weaponizing it for privilege escalation is nontrivial but not impossible.

How To Protect Yourself

- Patch immediately! Upgrade your kernel to a version containing the fix (Feb 2024 or later, see your distro’s notes).

References

- CVE Details – CVE-2024-26929
- Upstream Linux Kernel Commit
- Red Hat Bugzilla 2266731
- QLogic Support (Broadcom)

Conclusion

CVE-2024-26929 isn’t “just another bug”—on high-availability Linux storage setups, a crash or potential exploit in the SCSI FC path is serious business. Patch up, review your Fibre Channel infrastructure, and if you see this in logs, take it seriously.

Timeline

Published on: 05/01/2024 06:15:07 UTC
Last modified on: 08/08/2024 16:35:06 UTC