Bug 1777397 (CVE-2019-18806) - CVE-2019-18806 kernel: memory leak in ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c
Summary: CVE-2019-18806 kernel: memory leak in ql_alloc_large_buffers() function in dr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18806
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1826573 1829216 1829217 1829218 1829219 1829220
Blocks: 1777487
TreeView+ depends on / blocked
 
Reported: 2019-11-27 15:13 UTC by Dhananjay Arunesh
Modified: 2021-10-25 22:14 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the QLogic QLA3xxx NIC HBA Driver in the Linux kernel handled resource cleanup on a DMA mapping error. This flaw allows an attacker able to trigger the DMA mapping error to crash the system.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:14:42 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-11-27 15:13:55 UTC 
A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures.

Reference:
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1acb8f2a7a9f10543868ddd737e37424d5c36cf4
Comment 1 Justin M. Forbes 2019-12-02 14:14:41 UTC 
This was fixed for Fedora with the 5.3.5 stable kernel updates.
Comment 3 Doran Moppert 2020-04-22 03:11:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1826573]
Comment 5 Petr Matousek 2020-04-29 08:43:58 UTC 
Mitigation:

In order to mitigate this issue it is possible to prevent the affected code from being loaded by blacklisting the kernel module qla3xxx. For instructions relating to how to blacklist a kernel module refer to: https://access.redhat.com/solutions/41278
Comment 6 Petr Matousek 2020-04-29 08:45:51 UTC 
Statement:

This issue is rated as having Low impact because of the preconditions needed to trigger the resource cleanup code path (DMA mapping error).
Comment 8 Michal Schmidt 2020-05-07 08:47:44 UTC 
(In reply to Dhananjay Arunesh from comment #0)
> A memory leak in the ql_alloc_large_buffers() function in
> drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel allows local users
> to cause a denial of service (memory consumption) by triggering
> pci_dma_mapping_error() failures.
> 
> Reference:
> https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.5
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
> ?id=1acb8f2a7a9f10543868ddd737e37424d5c36cf4

ql_alloc_large_buffers() is buggy, but that supposed fix is wrong. It adds a double-free.

See upstream commit cad46039e4c99812db067c8ac22a864960e7acc4
net: qlogic: Fix error paths in ql_alloc_large_buffers()
Comment 9 Michal Schmidt 2020-05-07 09:32:59 UTC 
The CVE describes a memory leak in an error path during device initialization. I would just WONTFIX that, but...
The original fix introduced a more serious problem (double free).
The subsequent proper fix (commit cad46039e4c99) corrected not only the double-free, but also two other errors:
 - calling dev_kfree_skb() with unitialized pointers.
 - DMA unmapping of memory that wasn't mapped.
These are surely more serious than a memory leak and AFAIK, no CVE has been filed for them.

Can the CVE be updated? Should a new CVE be created?
Note You need to log in before you can comment on or make changes to this bug.