CVE-2022-48666
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
28/04/2024
Last modified:
20/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
scsi: core: Fix a use-after-free<br />
<br />
There are two .exit_cmd_priv implementations. Both implementations use<br />
resources associated with the SCSI host. Make sure that these resources are<br />
still available when .exit_cmd_priv is called by waiting inside<br />
scsi_remove_host() until the tag set has been freed.<br />
<br />
This commit fixes the following use-after-free:<br />
<br />
==================================================================<br />
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]<br />
Read of size 8 at addr ffff888100337000 by task multipathd/16727<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x34/0x44<br />
print_report.cold+0x5e/0x5db<br />
kasan_report+0xab/0x120<br />
srp_exit_cmd_priv+0x27/0xd0 [ib_srp]<br />
scsi_mq_exit_request+0x4d/0x70<br />
blk_mq_free_rqs+0x143/0x410<br />
__blk_mq_free_map_and_rqs+0x6e/0x100<br />
blk_mq_free_tag_set+0x2b/0x160<br />
scsi_host_dev_release+0xf3/0x1a0<br />
device_release+0x54/0xe0<br />
kobject_put+0xa5/0x120<br />
device_release+0x54/0xe0<br />
kobject_put+0xa5/0x120<br />
scsi_device_dev_release_usercontext+0x4c1/0x4e0<br />
execute_in_process_context+0x23/0x90<br />
device_release+0x54/0xe0<br />
kobject_put+0xa5/0x120<br />
scsi_disk_release+0x3f/0x50<br />
device_release+0x54/0xe0<br />
kobject_put+0xa5/0x120<br />
disk_release+0x17f/0x1b0<br />
device_release+0x54/0xe0<br />
kobject_put+0xa5/0x120<br />
dm_put_table_device+0xa3/0x160 [dm_mod]<br />
dm_put_device+0xd0/0x140 [dm_mod]<br />
free_priority_group+0xd8/0x110 [dm_multipath]<br />
free_multipath+0x94/0xe0 [dm_multipath]<br />
dm_table_destroy+0xa2/0x1e0 [dm_mod]<br />
__dm_destroy+0x196/0x350 [dm_mod]<br />
dev_remove+0x10c/0x160 [dm_mod]<br />
ctl_ioctl+0x2c2/0x590 [dm_mod]<br />
dm_ctl_ioctl+0x5/0x10 [dm_mod]<br />
__x64_sys_ioctl+0xb4/0xf0<br />
dm_ctl_ioctl+0x5/0x10 [dm_mod]<br />
__x64_sys_ioctl+0xb4/0xf0<br />
do_syscall_64+0x3b/0x90<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Impact
Base Score 3.x
7.40
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.7 (including) | 5.19.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
- https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
- https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
- https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9
- https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
- https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
- https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
- https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9