CVE-2022-48666
Vulnerability from cvelistv5
Published
2024-04-28 13:01
Modified
2024-12-19 08:05
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a use-after-free There are two .exit_cmd_priv implementations. Both implementations use resources associated with the SCSI host. Make sure that these resources are still available when .exit_cmd_priv is called by waiting inside scsi_remove_host() until the tag set has been freed. This commit fixes the following use-after-free: ================================================================== BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Read of size 8 at addr ffff888100337000 by task multipathd/16727 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] scsi_mq_exit_request+0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_device_dev_release_usercontext+0x4c1/0x4e0 execute_in_process_context+0x23/0x90 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_disk_release+0x3f/0x50 device_release+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] free_priority_group+0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0
Impacted products
Vendor Product Version
Linux Linux Version: 5.7
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:5.7:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "5.7"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "2e7eb4c1e8af",
                "status": "affected",
                "version": "65ca846a5314",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-48666",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-29T13:16:40.985574Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:47.878Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.718Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hosts.c",
            "drivers/scsi/scsi_lib.c",
            "drivers/scsi/scsi_priv.h",
            "drivers/scsi/scsi_scan.c",
            "drivers/scsi/scsi_sysfs.c",
            "include/scsi/scsi_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ce8fad941233e81f2afb5b52a3fcddd3ba8732f",
              "status": "affected",
              "version": "65ca846a53149a1a72cd8d02e7b2e73dd545b834",
              "versionType": "git"
            },
            {
              "lessThan": "f818708eeeae793e12dc39f8984ed7732048a7d9",
              "status": "affected",
              "version": "65ca846a53149a1a72cd8d02e7b2e73dd545b834",
              "versionType": "git"
            },
            {
              "lessThan": "2e7eb4c1e8af8385de22775bd0be552f59b28c9a",
              "status": "affected",
              "version": "65ca846a53149a1a72cd8d02e7b2e73dd545b834",
              "versionType": "git"
            },
            {
              "lessThan": "8fe4ce5836e932f5766317cb651c1ff2a4cd0506",
              "status": "affected",
              "version": "65ca846a53149a1a72cd8d02e7b2e73dd545b834",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hosts.c",
            "drivers/scsi/scsi_lib.c",
            "drivers/scsi/scsi_priv.h",
            "drivers/scsi/scsi_scan.c",
            "drivers/scsi/scsi_sysfs.c",
            "include/scsi/scsi_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:05:21.973Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506"
        }
      ],
      "title": "scsi: core: Fix a use-after-free",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48666",
    "datePublished": "2024-04-28T13:01:50.526Z",
    "dateReserved": "2024-02-25T13:44:28.320Z",
    "dateUpdated": "2024-12-19T08:05:21.973Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48666\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-28T13:15:08.113\",\"lastModified\":\"2024-11-21T07:33:44.053\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: core: Fix a use-after-free\\n\\nThere are two .exit_cmd_priv implementations. Both implementations use\\nresources associated with the SCSI host. Make sure that these resources are\\nstill available when .exit_cmd_priv is called by waiting inside\\nscsi_remove_host() until the tag set has been freed.\\n\\nThis commit fixes the following use-after-free:\\n\\n==================================================================\\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\\nCall Trace:\\n \u003cTASK\u003e\\n dump_stack_lvl+0x34/0x44\\n print_report.cold+0x5e/0x5db\\n kasan_report+0xab/0x120\\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\\n scsi_mq_exit_request+0x4d/0x70\\n blk_mq_free_rqs+0x143/0x410\\n __blk_mq_free_map_and_rqs+0x6e/0x100\\n blk_mq_free_tag_set+0x2b/0x160\\n scsi_host_dev_release+0xf3/0x1a0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\\n execute_in_process_context+0x23/0x90\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n scsi_disk_release+0x3f/0x50\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n disk_release+0x17f/0x1b0\\n device_release+0x54/0xe0\\n kobject_put+0xa5/0x120\\n dm_put_table_device+0xa3/0x160 [dm_mod]\\n dm_put_device+0xd0/0x140 [dm_mod]\\n free_priority_group+0xd8/0x110 [dm_multipath]\\n free_multipath+0x94/0xe0 [dm_multipath]\\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\\n __dm_destroy+0x196/0x350 [dm_mod]\\n dev_remove+0x10c/0x160 [dm_mod]\\n ctl_ioctl+0x2c2/0x590 [dm_mod]\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\\n __x64_sys_ioctl+0xb4/0xf0\\n do_syscall_64+0x3b/0x90\\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: corrige un use-after-free Hay dos implementaciones de .exit_cmd_priv. Ambas implementaciones utilizan recursos asociados con el host SCSI. Aseg\u00farese de que estos recursos todav\u00eda est\u00e9n disponibles cuando se llame a .exit_cmd_priv esperando dentro de scsi_remove_host() hasta que se haya liberado el conjunto de etiquetas. Esta confirmaci\u00f3n corrige el siguiente use-after-free: ======================================== =========================== ERROR: KASAN: use-after-free en srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Lectura de tama\u00f1o 8 en addr ffff888100337000 por tarea multipathd/16727 Rastreo de llamadas:  dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] +0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+ 0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 +0x4c1/0x4e0 ejecutar_en_contexto_de_proceso+0x23/0x90 liberaci\u00f3n_de_dispositivo+0x54/0xe0 kobject_put+ 0xa5/0x120 scsi_disk_release+0x3f/0x50 dispositivo_liberaci\u00f3n+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 dispositivo_liberaci\u00f3n+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] grupo_prioridad_libre +0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] 2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5 /0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entrada_SYSCALL_64_after_hwframe+0x46/0xb 0\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.4,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.