In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Avoid sg device teardown race
sgremovesfpusercontext() must not use sgdevicedestroy() after calling scsidevice_put().
sgdevicedestroy() is accessing the parent scsidevice requestqueue which will already be set to NULL when the preceding call to scsideviceput() removed the last reference to the parent scsi_device.
The resulting NULL pointer exception will then crash the kernel.
{ "vanir_signatures": [ { "digest": { "length": 902.0, "function_hash": "93041963892864267376507955379659494309" }, "target": { "function": "sg_remove_sfp_usercontext", "file": "drivers/scsi/sg.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0d1ebcc1a9560e494ea9b3ee808540db26c5086", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-021d57be" }, { "digest": { "length": 902.0, "function_hash": "93041963892864267376507955379659494309" }, "target": { "function": "sg_remove_sfp_usercontext", "file": "drivers/scsi/sg.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27f58c04a8f438078583041468ec60597841284d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-15dfec23" }, { "digest": { "length": 902.0, "function_hash": "93041963892864267376507955379659494309" }, "target": { "function": "sg_remove_sfp_usercontext", "file": "drivers/scsi/sg.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46af9047523e2517712ae8e71d984286c626e022", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-331c25b8" }, { "digest": { "line_hashes": [ "145537013495947612375378247592753457561", "13557752983133269548375418634335156159", "27646978872938459708983584540224798470", "316835235258385083355150090826857041708", "191812292215513046967995430404577111269", "173433213063119431435056505685353744315", "251629853924630427350526365264654746320", "69439444062648953689794667635780052495", "213987910898629743795759742475931576905" ], "threshold": 0.9 }, "target": { "file": "drivers/scsi/sg.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@46af9047523e2517712ae8e71d984286c626e022", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-4eb0d1ff" }, { "digest": { "line_hashes": [ "145537013495947612375378247592753457561", "13557752983133269548375418634335156159", "27646978872938459708983584540224798470", "316835235258385083355150090826857041708", "191812292215513046967995430404577111269", "173433213063119431435056505685353744315", "251629853924630427350526365264654746320", "69439444062648953689794667635780052495", "213987910898629743795759742475931576905" ], "threshold": 0.9 }, "target": { "file": "drivers/scsi/sg.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b0d1ebcc1a9560e494ea9b3ee808540db26c5086", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-6516d46d" }, { "digest": { "line_hashes": [ "145537013495947612375378247592753457561", "13557752983133269548375418634335156159", "27646978872938459708983584540224798470", "316835235258385083355150090826857041708", "191812292215513046967995430404577111269", "173433213063119431435056505685353744315", "251629853924630427350526365264654746320", "69439444062648953689794667635780052495", "213987910898629743795759742475931576905" ], "threshold": 0.9 }, "target": { "file": "drivers/scsi/sg.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@27f58c04a8f438078583041468ec60597841284d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-35954-860a4f06" } ] }