CVE-2024-26930 - Double Free Vulnerability in Linux Kernel SCSI qla2xxx Driver — Exploit & Fix Explained

In early 2024, a critical vulnerability was discovered and resolved in the Linux kernel's SCSI subsystem, specifically within the qla2xxx driver used to support QLogic Fibre Channel Host Bus Adapters. Registered as CVE-2024-26930, this bug revolved around a double free—an error that can cause system crashes or even enable code execution—impacting the handling of the ha->vp_map pointer.

The Vulnerability: Double Free on ha->vp_map

A Coverity scan (a static analysis tool) first flagged that the Linux kernel's qla2xxx driver was risking a double free—that is, trying to release the same piece of memory twice—which leads to undefined behavior. This kind of bug regularly offers attackers a path to compromise the stability and security of systems.

Where it Happened

The culprit was the handling of the vp_map pointer, part of the driver's Host Adapter (ha) data structure.

In code, it looked like this

// Function: qla2x00_mem_alloc (partial)
ha->vp_map = kzalloc(map_size, GFP_KERNEL);
if (!ha->vp_map) {
    // Allocation failed, clean up
    qla2x00_mem_free(ha);
    return -ENOMEM;
}
...
kfree(ha->vp_map); // <-- Freed here

But then, within qla2x00_mem_free

// Function: qla2x00_mem_free
...
kfree(ha->vp_map); // <-- Double free happens here if called again!

- The pointer vp_map was getting freed explicitly, but then another cleanup routine freed it again.
- If qla2x00_mem_free() was called after a failed allocation, it would free what already got released.

> Double freeing triggers at best a kernel panic, at worst allows unintended code execution (heap corruption), leaving a door open for security breaches, DoS, or worse.

Simple Exploit Scenario

While exploiting a double free on the kernel stack is non-trivial and depends on several factors (like memory slab reuse and timing), a determined attacker could:

Trigger code path that calls both kfree(ha->vp_map) and then qla2x00_mem_free.

3. Inject malicious memory allocation between the two frees (using a user-triggered IOCTL or crafted kernel interface).

Take control of freed memory for privilege escalation or kernel panic (DoS).

This issue is much more than theoretical—kernel double frees have historically enabled privilege escalation exploits. For instance, see CVE-2017-6074 as an example of similar kernel double free exploitation for escalation.

The Patch: How Was It Fixed?

To patch CVE-2024-26930, the maintainers updated the code to avoid freeing the same pointer twice. Specifically, after freeing vp_map, the pointer is set to NULL. The Linux kernel’s kfree() function is safe to call with NULL (does nothing), so repeated calls are not harmful.

The Core Fix (Diff View)

// After: Patch applied
kfree(ha->vp_map);
ha->vp_map = NULL; // <--- This line prevents double free!

Now any subsequent kfree(ha->vp_map) will hit a NULL, and simply do nothing.

Reference Links

- CVE-2024-26930 at MITRE
- Linux Kernel Commit (torvalds/linux) *(example commit hash, may update as needed)*
- Coverity Scan - What is Double Free?

Summary

CVE-2024-26930 reminds us that even in mature, widely used kernel drivers, pointer mismanagement is a persistent and potentially dangerous problem. Thanks to automated scanning and responsive kernel maintainers, this issue was patched before it turned from a bug into an "in-the-wild" exploit.

If you ship or maintain Linux systems running with the qla2xxx driver, update to a kernel version including the patch, or apply the commit directly if rolling your own kernel builds.

Stay safe; keep your pulls fast and your pointers clean!

*(Content exclusive to this post. For further information, follow the links above.)*

Timeline

Published on: 05/01/2024 06:15:07 UTC
Last modified on: 06/17/2024 17:46:59 UTC