Linux Kernel SCSI LPFC Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's SCSI LPFC driver. This issue arises when the function 'lpfc_sli4_read_rev()' fails during the initialization of a host bus adapter (HBA). The subsequent cleanup routine, 'lpfc_sli4_vport_delete_fcp_xri_aborted()', may be executed before the HBA's hardware queues are properly allocated. As a result, the cleanup process can attempt to access the first hardware queue, leading to a null pointer dereference. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a null pointer dereference, which can lead to a denial of service by crashing the system or causing the driver to become unresponsive.

Reproduction

To reproduce this vulnerability, trigger a failure in the 'lpfc_sli4_read_rev()' function during the HBA setup process. This can be done by introducing an error that prevents the function from completing successfully. Once the error occurs, the 'lpfc_sli4_vport_delete_fcp_xri_aborted()' cleanup routine will be called before the hardware queues are allocated. When the cleanup routine attempts to access the first hardware queue, it will encounter a null pointer, causing a dereference error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is available in the Linux kernel stable tree.