Bug 1223713 (CVE-2024-27392)

Summary: VUL-0: CVE-2024-27392: kernel: nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, vasant.karasulli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403876/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-27392:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-02 11:36:25 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()

When nvme_identify_ns() fails, it frees the pointer to the struct
nvme_id_ns before it returns. However, ns_update_nuse() calls kfree()
for the pointer even when nvme_identify_ns() fails. This results in
KASAN double-free, which was observed with blktests nvme/045 with
proposed patches [1] on the kernel v6.8-rc7. Fix the double-free by
skipping kfree() when nvme_identify_ns() fails.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27392
https://www.cve.org/CVERecord?id=CVE-2024-27392
https://git.kernel.org/stable/c/534f9dc7fe495b3f9cc84363898ac50c5a25fccb
https://git.kernel.org/stable/c/8d0d2447394b13fb22a069f0330f9c49b7fff9d3
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-27392.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2278526
Comment 2 Andrea Mattiazzo 2024-05-31 13:17:28 UTC 
All done, closing.