CVE-2024-50153

scsi: target: core: Fix null-ptr-deref in target_alloc_device()

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix null-ptr-deref in target_alloc_device() There is a null-ptr-deref issue reported by KASAN: BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] ... kasan_report+0xb9/0xf0 target_alloc_device+0xbc4/0xbe0 [target_core_mod] core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] target_core_init_configfs+0x205/0x420 [target_core_mod] do_one_initcall+0xdd/0x4e0 ... entry_SYSCALL_64_after_hwframe+0x76/0x7e In target_alloc_device(), if allocing memory for dev queues fails, then dev will be freed by dev->transport->free_device(), but dev->transport is not initialized at that time, which will lead to a null pointer reference problem. Fixing this bug by freeing dev with hba->backend->ops->free_device().

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: Linux Linux
Affected: Linux Linux
Published at:
Updated at:

References

Link Tags
https://git.kernel.org/stable/c/8c1e6717f60d31f8af3937c23c4f1498529584e1 patch
https://git.kernel.org/stable/c/39e02fa90323243187c91bb3e8f2f5f6a9aacfc7 patch
https://git.kernel.org/stable/c/895ab729425ef9bf3b6d2f8d0853abe64896f314 patch
https://git.kernel.org/stable/c/b80e9bc85bd9af378e7eac83e15dd129557bbdb6 patch
https://git.kernel.org/stable/c/14a6a2adb440e4ae97bee73b2360946bd033dadd patch
https://git.kernel.org/stable/c/fca6caeb4a61d240f031914413fcc69534f6dc03 patch

Frequently Asked Questions

What is the severity of CVE-2024-50153?
CVE-2024-50153 has been scored as a medium severity vulnerability.
How to fix CVE-2024-50153?
To fix CVE-2024-50153, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-50153 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-50153 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-50153?
CVE-2024-50153 affects Linux Linux, Linux Linux.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.