NACK: [SRU][N][PATCH 0/1] CVE-2024-56631

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Mon Mar 17 10:56:15 UTC 2025 

On Thu, 6 Mar 2025 at 18:08, Andrei Gherzan
<andrei.gherzan at canonical.com> wrote:
>
> [Impact]
>
> scsi: sg: Fix slab-use-after-free read in sg_release()
> Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:
>
> BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
> kernel/locking/lockdep.c:5838
> __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
> sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407
>
> In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
> called before releasing the open_rel_lock mutex. The kref_put() call may
> decrement the reference count of sfp to zero, triggering its cleanup
> through sg_remove_sfp(). This cleanup includes scheduling deferred work
> via sg_remove_sfp_usercontext(), which ultimately frees sfp.
>
> After kref_put(), sg_release() continues to unlock open_rel_lock and may
> reference sfp or sdp. If sfp has already been freed, this results in a
> slab-use-after-free error.
>
> Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
> open_rel_lock mutex. This ensures:
>
>  - No references to sfp or sdp occur after the reference count is
>    decremented.
>
>  - Cleanup functions such as sg_remove_sfp() and
>    sg_remove_sfp_usercontext() can safely execute without impacting the
>    mutex handling in sg_release().
>
> The fix has been tested and validated by syzbot. This patch closes the
> bug reported at the following syzkaller link and ensures proper
> sequencing of resource cleanup and mutex operations, eliminating the
> risk of use-after-free errors in sg_release().
>
> [Fix]
>
> Noble:  Backported due to a context change generated by enabling runtime
>         power management in scsi/sg.
> Bionic: The fix was sent to the ESM mailing list.
> Xenial: The fix was sent to the ESM mailing list.
>
> [Test Case]
>
> * Build test for all supported architectures.
> * Boot tested on amd64 architecture.
>
> [Where problems could occur]
>
> This fix only affects the Generic SCSI driver, so the impact is scoped
> by it.
>
> Suraj Sonawane (1):
>   scsi: sg: Fix slab-use-after-free read in sg_release()
>
>  drivers/scsi/sg.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Thanks for backporting the fix.
Unfortunately the patch has been already applied
via upstream stable updates (LP: #2102118).
Due to this I will nack this patch.

-- 
Massimiliano Pellizzer

More information about the kernel-team mailing list