CVE-2022-48666

scsi: core: Fix a use-after-free

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

scsi: core: Fix a use-after-free

There are two .exit_cmd_priv implementations. Both implementations use
resources associated with the SCSI host. Make sure that these resources are
still available when .exit_cmd_priv is called by waiting inside
scsi_remove_host() until the tag set has been freed.

This commit fixes the following use-after-free:

==================================================================
BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x5e/0x5db
kasan_report+0xab/0x120
srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70
blk_mq_free_rqs+0x143/0x410
__blk_mq_free_map_and_rqs+0x6e/0x100
blk_mq_free_tag_set+0x2b/0x160
scsi_host_dev_release+0xf3/0x1a0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_device_dev_release_usercontext+0x4c1/0x4e0
execute_in_process_context+0x23/0x90
device_release+0x54/0xe0
kobject_put+0xa5/0x120
scsi_disk_release+0x3f/0x50
device_release+0x54/0xe0
kobject_put+0xa5/0x120
disk_release+0x17f/0x1b0
device_release+0x54/0xe0
kobject_put+0xa5/0x120
dm_put_table_device+0xa3/0x160 [dm_mod]
dm_put_device+0xd0/0x140 [dm_mod]
free_priority_group+0xd8/0x110 [dm_multipath]
free_multipath+0x94/0xe0 [dm_multipath]
dm_table_destroy+0xa2/0x1e0 [dm_mod]
__dm_destroy+0x196/0x350 [dm_mod]
dev_remove+0x10c/0x160 [dm_mod]
ctl_ioctl+0x2c2/0x590 [dm_mod]
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: core: corrige un use-after-free Hay dos implementaciones de .exit_cmd_priv. Ambas implementaciones utilizan recursos asociados con el host SCSI. Asegúrese de que estos recursos todavía estén disponibles cuando se llame a .exit_cmd_priv esperando dentro de scsi_remove_host() hasta que se haya liberado el conjunto de etiquetas. Esta confirmación corrige el siguiente use-after-free: ======================================== =========================== ERROR: KASAN: use-after-free en srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Lectura de tamaño 8 en addr ffff888100337000 por tarea multipathd/16727 Rastreo de llamadas: dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp] +0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+ 0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 dispositivo_release+0x54/0xe0 kobject_put+0xa5/0x120 +0x4c1/0x4e0 ejecutar_en_contexto_de_proceso+0x23/0x90 liberación_de_dispositivo+0x54/0xe0 kobject_put+ 0xa5/0x120 scsi_disk_release+0x3f/0x50 dispositivo_liberación+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 dispositivo_liberación+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod] dm_put_device+0xd0/0x140 [dm_mod] grupo_prioridad_libre +0xd8/0x110 [dm_multipath] free_multipath+0x94/0xe0 [dm_multipath] dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod] dev_remove+0x10c/0x160 [dm_mod] 2c2/0x590 [dm_mod] dm_ctl_ioctl+0x5 /0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entrada_SYSCALL_64_after_hwframe+0x46/0xb 0

*Credits: N/A

CVSS Scores

CISAv3.1 7.4

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-04-28 CVE Published
2024-07-29 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (5)

URL	Tag	Source
https://git.kernel.org/stable/c/65ca846a53149a1a72cd8d02e7b2e73dd545b834	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f	2024-07-27
https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9	2024-07-27
https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a	2022-09-28
https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506	2022-09-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.223 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.223"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.15.164 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.15.164"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.19.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.19.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 6.0"		en		Affected