CVE-2022-49082

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()<br /> <br /> The function mpt3sas_transport_port_remove() called in<br /> _scsih_expander_node_remove() frees the port field of the sas_expander<br /> structure, leading to the following use-after-free splat from KASAN when<br /> the ioc_info() call following that function is executed (e.g. when doing<br /> rmmod of the driver module):<br /> <br /> [ 3479.371167] ==================================================================<br /> [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]<br /> [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531<br /> [ 3479.393524]<br /> [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436<br /> [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021<br /> [ 3479.409263] Call Trace:<br /> [ 3479.411743] <br /> [ 3479.413875] dump_stack_lvl+0x45/0x59<br /> [ 3479.417582] print_address_description.constprop.0+0x1f/0x120<br /> [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]<br /> [ 3479.429469] kasan_report.cold+0x83/0xdf<br /> [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]<br /> [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]<br /> [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40<br /> [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]<br /> [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]<br /> [ 3479.465529] ? down_write+0xde/0x150<br /> [ 3479.470746] ? up_write+0x14d/0x460<br /> [ 3479.475840] ? kernfs_find_ns+0x137/0x310<br /> [ 3479.481438] pci_device_remove+0x65/0x110<br /> [ 3479.487013] __device_release_driver+0x316/0x680<br /> [ 3479.493180] driver_detach+0x1ec/0x2d0<br /> [ 3479.498499] bus_remove_driver+0xe7/0x2d0<br /> [ 3479.504081] pci_unregister_driver+0x26/0x250<br /> [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]<br /> [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510<br /> [ 3479.522315] ? free_module+0xaa0/0xaa0<br /> [ 3479.527593] ? __cond_resched+0x1c/0x90<br /> [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0<br /> [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70<br /> [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110<br /> [ 3479.551828] do_syscall_64+0x35/0x80<br /> [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> [ 3479.563402] RIP: 0033:0x7f1fc482483b<br /> ...<br /> [ 3479.943087] ==================================================================<br /> <br /> Fix this by introducing the local variable port_id to store the port ID<br /> value before executing mpt3sas_transport_port_remove(). This local variable<br /> is then used in the call to ioc_info() instead of dereferencing the freed<br /> port structure.