CVE-2022-48666
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix a use-after-free
There are two .exit_cmd_priv implementations. Both implementations use resources associated with the SCSI host. Make sure that these resources are still available when .exit_cmd_priv is called by waiting inside scsi_remove_host() until the tag set has been freed.
This commit fixes the following use-after-free:
================================================================== BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Read of size 8 at addr ffff888100337000 by task multipathd/16727 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] scsi_mq_exit_request+0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_device_dev_release_usercontext+0x4c1/0x4e0 execute_in_process_context+0x23/0x90 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_disk_release+0x3f/0x50 device_release+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] free_priority_group+0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 65ca846a53149a1a72cd8d02e7b2e73dd545b834 < 5ce8fad941233e81f2afb5b52a3fcddd3ba8732f | affected |
| Linux | Linux | 65ca846a53149a1a72cd8d02e7b2e73dd545b834 < f818708eeeae793e12dc39f8984ed7732048a7d9 | affected |
| Linux | Linux | 65ca846a53149a1a72cd8d02e7b2e73dd545b834 < 2e7eb4c1e8af8385de22775bd0be552f59b28c9a | affected |
| Linux | Linux | 65ca846a53149a1a72cd8d02e7b2e73dd545b834 < 8fe4ce5836e932f5766317cb651c1ff2a4cd0506 | affected |
| Linux | Linux | 5.7 | affected |
| Linux | Linux | 0 < 5.7 | unaffected |
| Linux | Linux | 5.10.223 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.164 <= 5.15.* | unaffected |
| Linux | Linux | 5.19.12 <= 5.19.* | unaffected |
| Linux | Linux | 6.0 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
- https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9
- https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
- https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
References
- https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
- https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9
- https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
- https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.