CVE-2022-50532

Summary

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()

In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas]

Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < d60000cb1195a464080b0efb4949daf7594e0020affected
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < ce1a69cc85006b494353911b35171da195d79e25affected
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < 6a92129c8f999ff5b122c100ce7f625eb3e98c4baffected
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < 6f6768e2fc8638fabdd8802c2ef693d7aef01db1affected
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < d17bca3ddfe507874cb826d32721552da12e741faffected
LinuxLinuxf92363d12359498f9a9960511de1a550f0ec41c2 < 78316e9dfc24906dd474630928ed1d3c562b568eaffected
LinuxLinux3.8affected
LinuxLinux0 < 3.8unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References