CVE-2024-24855: 
Linux Kernel vulnerability analysis and mitigation

A race condition vulnerability (CVE-2024-24855) was discovered in the Linux kernel's SCSI device driver, specifically in the lpfc_unregister_fcf_rescan() function of the Emulex LightPulse Fibre Channel driver. The vulnerability was reported on February 1, 2024, and affects Linux kernel versions up to 2.6.33.20 and from version 6.0 up to 6.4.16 (NVD, Ubuntu Security).

The vulnerability stems from an unprotected write operation to phba->fcf.fcf_flag in the lpfc_unregister_fcf_rescan function. While the fcf_flag write operation requires spinlock phba->hbalock protection, the function lacks the necessary spinlock protection, leading to potential data race conditions. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When triggered, the vulnerability can cause the phba->fcf.fcf_flag zero operation to be overwritten. Since fcf_flag is a core variable in the lpfc module that determines driver function behavior, this can lead to errors in functions like lpfc_linkdown and lpfc_work_done. The impact can range from lpfc functionality abnormalities to kernel panic or denial of service conditions, with potential for serious memory issues including double-free vulnerabilities (OpenAnolis Bug).

A fix has been implemented by adding appropriate spin_lock protection around the phba->fcf.fcf_flag |= FCF_INIT_DISC statement in the lpfc_unregister_fcf_rescan function. The patch has been accepted into the Linux kernel and is available at commit 0e881c0a4b6146b7e856735226208f48251facd8. Various Linux distributions have released patched versions, including Ubuntu which has fixed versions available for multiple releases (OpenAnolis Bug, Ubuntu Security).