CVE-2022-50459
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
Fix a NULL pointer crash that occurs when we are freeing the socket at the same time we access it via sysfs.
The problem is that:
iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold() does a get on the "struct sock".
iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put on the "struct socket" and that does __sock_release() which sets the sock->ops to NULL.
iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct socket". Originally, we just held the frwd_lock the entire time but in commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()") we switched to refcount based because the network layer changed and started taking a mutex in that path, so we could no longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a mutex for accessing the socket in the interface code paths.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 < 884a788f065578bb640382279a83d1df433b13e6 | affected |
| Linux | Linux | bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 < a26b0658751bb0a3b28386fca715333b104d32a2 | affected |
| Linux | Linux | bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 < 897dbbc57d71e8a34ec1af8e573a142de457da38 | affected |
| Linux | Linux | bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 < 0a0b861fce2657ba08ec356a74346b37ca4b2008 | affected |
| Linux | Linux | bcf3a2953d36bbfb9bd44ccb3db0897d935cc485 < 57569c37f0add1b6489e1a1563c71519daf732cf | affected |
| Linux | Linux | 7d29e950766327f658cb92722b9445ac3b3ae023 | affected |
| Linux | Linux | 5.8.14 < 5.9 | affected |
| Linux | Linux | 5.9 | affected |
| Linux | Linux | 0 < 5.9 | unaffected |
| Linux | Linux | 5.10.150 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.75 <= 5.15.* | unaffected |
| Linux | Linux | 5.19.17 <= 5.19.* | unaffected |
| Linux | Linux | 6.0.3 <= 6.0.* | unaffected |
| Linux | Linux | 6.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6
- https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2
- https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38
- https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008
- https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.