"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n <TASK>\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0"
"value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: corrige un use-after-free Hay dos implementaciones de .exit_cmd_priv. Ambas implementaciones utilizan recursos asociados con el host SCSI. Aseg\u00farese de que estos recursos todav\u00eda est\u00e9n disponibles cuando se llame a .exit_cmd_priv esperando dentro de scsi_remove_host() hasta que se haya liberado el conjunto de etiquetas. Esta confirmaci\u00f3n corrige el siguiente use-after-free: ======================================== =========================== ERROR: KASAN: use-after-free en srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Lectura de tama\u00f1o 8 en addr ffff888100337000 por tarea multipathd/16727 Rastreo de llamadas: dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] +0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+ 0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 +0x4c1/0x4e0 ejecutar_en_contexto_de_proceso+0x23/0x90 liberaci\u00f3n_de_dispositivo+0x54/0xe0 kobject_put+ 0xa5/0x120 scsi_disk_release+0x3f/0x50 dispositivo_liberaci\u00f3n+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 dispositivo_liberaci\u00f3n+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] grupo_prioridad_libre +0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] 2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5 /0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entrada_SYSCALL_64_after_hwframe+0x46/0xb 0"
