CVE-2022-50532
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas]
Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < d60000cb1195a464080b0efb4949daf7594e0020 | affected |
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < ce1a69cc85006b494353911b35171da195d79e25 | affected |
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < 6a92129c8f999ff5b122c100ce7f625eb3e98c4b | affected |
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < 6f6768e2fc8638fabdd8802c2ef693d7aef01db1 | affected |
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < d17bca3ddfe507874cb826d32721552da12e741f | affected |
| Linux | Linux | f92363d12359498f9a9960511de1a550f0ec41c2 < 78316e9dfc24906dd474630928ed1d3c562b568e | affected |
| Linux | Linux | 3.8 | affected |
| Linux | Linux | 0 < 3.8 | unaffected |
| Linux | Linux | 5.4.229 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.163 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.86 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/d60000cb1195a464080b0efb4949daf7594e0020
- https://git.kernel.org/stable/c/ce1a69cc85006b494353911b35171da195d79e25
- https://git.kernel.org/stable/c/6a92129c8f999ff5b122c100ce7f625eb3e98c4b
- https://git.kernel.org/stable/c/6f6768e2fc8638fabdd8802c2ef693d7aef01db1
- https://git.kernel.org/stable/c/d17bca3ddfe507874cb826d32721552da12e741f
- https://git.kernel.org/stable/c/78316e9dfc24906dd474630928ed1d3c562b568e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.