cve-2022-49082
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-02-27 18:22
Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
The function mpt3sas_transport_port_remove() called in
_scsih_expander_node_remove() frees the port field of the sas_expander
structure, leading to the following use-after-free splat from KASAN when
the ioc_info() call following that function is executed (e.g. when doing
rmmod of the driver module):
[ 3479.371167] ==================================================================
[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531
[ 3479.393524]
[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436
[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021
[ 3479.409263] Call Trace:
[ 3479.411743] <TASK>
[ 3479.413875] dump_stack_lvl+0x45/0x59
[ 3479.417582] print_address_description.constprop.0+0x1f/0x120
[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.429469] kasan_report.cold+0x83/0xdf
[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40
[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]
[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]
[ 3479.465529] ? down_write+0xde/0x150
[ 3479.470746] ? up_write+0x14d/0x460
[ 3479.475840] ? kernfs_find_ns+0x137/0x310
[ 3479.481438] pci_device_remove+0x65/0x110
[ 3479.487013] __device_release_driver+0x316/0x680
[ 3479.493180] driver_detach+0x1ec/0x2d0
[ 3479.498499] bus_remove_driver+0xe7/0x2d0
[ 3479.504081] pci_unregister_driver+0x26/0x250
[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]
[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510
[ 3479.522315] ? free_module+0xaa0/0xaa0
[ 3479.527593] ? __cond_resched+0x1c/0x90
[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70
[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110
[ 3479.551828] do_syscall_64+0x35/0x80
[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 3479.563402] RIP: 0033:0x7f1fc482483b
...
[ 3479.943087] ==================================================================
Fix this by introducing the local variable port_id to store the port ID
value before executing mpt3sas_transport_port_remove(). This local variable
is then used in the call to ioc_info() instead of dereferencing the freed
port structure.
References
Impacted products
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-49082", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T18:17:34.716925Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-416", description: "CWE-416 Use After Free", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-27T18:22:35.454Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Linux", programFiles: [ "drivers/scsi/mpt3sas/mpt3sas_scsih.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { lessThan: "25c1353dca74ad7cf3fd7ce258fe7c957a147d5e", status: "affected", version: "7d310f241001e090cf1ec0f3ae836b38d8c6ebec", versionType: "git", }, { lessThan: "17d66b1c92bcb41e72271ec60069d3684aaa1c9c", status: "affected", version: "7d310f241001e090cf1ec0f3ae836b38d8c6ebec", versionType: "git", }, { lessThan: "1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c", status: "affected", version: "7d310f241001e090cf1ec0f3ae836b38d8c6ebec", versionType: "git", }, { lessThan: "87d663d40801dffc99a5ad3b0188ad3e2b4d1557", status: "affected", version: "7d310f241001e090cf1ec0f3ae836b38d8c6ebec", versionType: "git", }, ], }, { defaultStatus: "affected", product: "Linux", programFiles: [ "drivers/scsi/mpt3sas/mpt3sas_scsih.c", ], repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", vendor: "Linux", versions: [ { status: "affected", version: "5.11", }, { lessThan: "5.11", status: "unaffected", version: "0", versionType: "semver", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.34", versionType: "semver", }, { lessThanOrEqual: "5.16.*", status: "unaffected", version: "5.16.20", versionType: "semver", }, { lessThanOrEqual: "5.17.*", status: "unaffected", version: "5.17.3", versionType: "semver", }, { lessThanOrEqual: "*", status: "unaffected", version: "5.18", versionType: "original_commit_for_fix", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\n\nThe function mpt3sas_transport_port_remove() called in\n_scsih_expander_node_remove() frees the port field of the sas_expander\nstructure, leading to the following use-after-free splat from KASAN when\nthe ioc_info() call following that function is executed (e.g. when doing\nrmmod of the driver module):\n\n[ 3479.371167] ==================================================================\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\n[ 3479.393524]\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\n[ 3479.409263] Call Trace:\n[ 3479.411743] <TASK>\n[ 3479.413875] dump_stack_lvl+0x45/0x59\n[ 3479.417582] print_address_description.constprop.0+0x1f/0x120\n[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.429469] kasan_report.cold+0x83/0xdf\n[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40\n[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]\n[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\n[ 3479.465529] ? down_write+0xde/0x150\n[ 3479.470746] ? up_write+0x14d/0x460\n[ 3479.475840] ? kernfs_find_ns+0x137/0x310\n[ 3479.481438] pci_device_remove+0x65/0x110\n[ 3479.487013] __device_release_driver+0x316/0x680\n[ 3479.493180] driver_detach+0x1ec/0x2d0\n[ 3479.498499] bus_remove_driver+0xe7/0x2d0\n[ 3479.504081] pci_unregister_driver+0x26/0x250\n[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\n[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510\n[ 3479.522315] ? free_module+0xaa0/0xaa0\n[ 3479.527593] ? __cond_resched+0x1c/0x90\n[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70\n[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110\n[ 3479.551828] do_syscall_64+0x35/0x80\n[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\n...\n[ 3479.943087] ==================================================================\n\nFix this by introducing the local variable port_id to store the port ID\nvalue before executing mpt3sas_transport_port_remove(). This local variable\nis then used in the call to ioc_info() instead of dereferencing the freed\nport structure.", }, ], providerMetadata: { dateUpdated: "2025-02-26T01:54:42.101Z", orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", shortName: "Linux", }, references: [ { url: "https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e", }, { url: "https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c", }, { url: "https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c", }, { url: "https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557", }, ], title: "scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()", x_generator: { engine: "bippy-5f407fcff5a0", }, }, }, cveMetadata: { assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", assignerShortName: "Linux", cveId: "CVE-2022-49082", datePublished: "2025-02-26T01:54:42.101Z", dateReserved: "2025-02-26T01:49:39.247Z", dateUpdated: "2025-02-27T18:22:35.454Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2022-49082\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:00:45.540\",\"lastModified\":\"2025-03-25T18:55:58.707\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\\n\\nThe function mpt3sas_transport_port_remove() called in\\n_scsih_expander_node_remove() frees the port field of the sas_expander\\nstructure, leading to the following use-after-free splat from KASAN when\\nthe ioc_info() call following that function is executed (e.g. when doing\\nrmmod of the driver module):\\n\\n[ 3479.371167] ==================================================================\\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\\n[ 3479.393524]\\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\\n[ 3479.409263] Call Trace:\\n[ 3479.411743] <TASK>\\n[ 3479.413875] dump_stack_lvl+0x45/0x59\\n[ 3479.417582] print_address_description.constprop.0+0x1f/0x120\\n[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.429469] kasan_report.cold+0x83/0xdf\\n[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40\\n[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]\\n[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\\n[ 3479.465529] ? down_write+0xde/0x150\\n[ 3479.470746] ? up_write+0x14d/0x460\\n[ 3479.475840] ? kernfs_find_ns+0x137/0x310\\n[ 3479.481438] pci_device_remove+0x65/0x110\\n[ 3479.487013] __device_release_driver+0x316/0x680\\n[ 3479.493180] driver_detach+0x1ec/0x2d0\\n[ 3479.498499] bus_remove_driver+0xe7/0x2d0\\n[ 3479.504081] pci_unregister_driver+0x26/0x250\\n[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\\n[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510\\n[ 3479.522315] ? free_module+0xaa0/0xaa0\\n[ 3479.527593] ? __cond_resched+0x1c/0x90\\n[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\\n[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70\\n[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110\\n[ 3479.551828] do_syscall_64+0x35/0x80\\n[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\\n...\\n[ 3479.943087] ==================================================================\\n\\nFix this by introducing the local variable port_id to store the port ID\\nvalue before executing mpt3sas_transport_port_remove(). This local variable\\nis then used in the call to ioc_info() instead of dereferencing the freed\\nport structure.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: mpt3sas: Se corrige el use-after-free en _scsih_expander_node_remove() La función mpt3sas_transport_port_remove() llamada en _scsih_expander_node_remove() libera el campo de puerto de la estructura sas_expander, lo que lleva al siguiente splat de use-after-free de KASAN cuando se ejecuta la llamada ioc_info() después de esa función (por ejemplo, al realizar rmmod del módulo del controlador): [ 3479.371167] ===================================================================== [ 3479.378496] ERROR: KASAN: use-after-free en _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Lectura de tamaño 1 en la dirección ffff8881c037691c por la tarea rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod No contaminado 5.17.0-rc8+ #1436 [ 3479.401712] Nombre del hardware: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ======================================================================== Solucione esto introduciendo la variable local port_id para almacenar el valor del ID del puerto antes de ejecutar mpt3sas_transport_port_remove(). Luego, esta variable local se utiliza en la llamada a ioc_info() en lugar de desreferenciar la estructura del puerto liberado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.34\",\"matchCriteriaId\":\"D25878D3-7761-4E9F-8919-E92CD53896E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.20\",\"matchCriteriaId\":\"ABBBA66E-0244-4621-966B-9790AF1EEB00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"5.17.3\",\"matchCriteriaId\":\"AE420AC7-1E59-4398-B84F-71F4B4337762\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AD94161-84BB-42E6-9882-4FC0C42E9FC1\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}", vulnrichment: { containers: "{\"cna\": {\"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-02-26T01:54:42.101Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\\n\\nThe function mpt3sas_transport_port_remove() called in\\n_scsih_expander_node_remove() frees the port field of the sas_expander\\nstructure, leading to the following use-after-free splat from KASAN when\\nthe ioc_info() call following that function is executed (e.g. when doing\\nrmmod of the driver module):\\n\\n[ 3479.371167] ==================================================================\\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\\n[ 3479.393524]\\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\\n[ 3479.409263] Call Trace:\\n[ 3479.411743] <TASK>\\n[ 3479.413875] dump_stack_lvl+0x45/0x59\\n[ 3479.417582] print_address_description.constprop.0+0x1f/0x120\\n[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.429469] kasan_report.cold+0x83/0xdf\\n[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\\n[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40\\n[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]\\n[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\\n[ 3479.465529] ? down_write+0xde/0x150\\n[ 3479.470746] ? up_write+0x14d/0x460\\n[ 3479.475840] ? kernfs_find_ns+0x137/0x310\\n[ 3479.481438] pci_device_remove+0x65/0x110\\n[ 3479.487013] __device_release_driver+0x316/0x680\\n[ 3479.493180] driver_detach+0x1ec/0x2d0\\n[ 3479.498499] bus_remove_driver+0xe7/0x2d0\\n[ 3479.504081] pci_unregister_driver+0x26/0x250\\n[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\\n[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510\\n[ 3479.522315] ? free_module+0xaa0/0xaa0\\n[ 3479.527593] ? __cond_resched+0x1c/0x90\\n[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0\\n[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70\\n[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110\\n[ 3479.551828] do_syscall_64+0x35/0x80\\n[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae\\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\\n...\\n[ 3479.943087] ==================================================================\\n\\nFix this by introducing the local variable port_id to store the port ID\\nvalue before executing mpt3sas_transport_port_remove(). This local variable\\nis then used in the call to ioc_info() instead of dereferencing the freed\\nport structure.\"}], \"affected\": [{\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"unaffected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"drivers/scsi/mpt3sas/mpt3sas_scsih.c\"], \"versions\": [{\"version\": \"7d310f241001e090cf1ec0f3ae836b38d8c6ebec\", \"lessThan\": \"25c1353dca74ad7cf3fd7ce258fe7c957a147d5e\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"7d310f241001e090cf1ec0f3ae836b38d8c6ebec\", \"lessThan\": \"17d66b1c92bcb41e72271ec60069d3684aaa1c9c\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"7d310f241001e090cf1ec0f3ae836b38d8c6ebec\", \"lessThan\": \"1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c\", \"status\": \"affected\", \"versionType\": \"git\"}, {\"version\": \"7d310f241001e090cf1ec0f3ae836b38d8c6ebec\", \"lessThan\": \"87d663d40801dffc99a5ad3b0188ad3e2b4d1557\", \"status\": \"affected\", \"versionType\": \"git\"}]}, {\"product\": \"Linux\", \"vendor\": \"Linux\", \"defaultStatus\": \"affected\", \"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"programFiles\": [\"drivers/scsi/mpt3sas/mpt3sas_scsih.c\"], \"versions\": [{\"version\": \"5.11\", \"status\": \"affected\"}, {\"version\": \"0\", \"lessThan\": \"5.11\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.15.34\", \"lessThanOrEqual\": \"5.15.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.16.20\", \"lessThanOrEqual\": \"5.16.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.17.3\", \"lessThanOrEqual\": \"5.17.*\", \"status\": \"unaffected\", \"versionType\": \"semver\"}, {\"version\": \"5.18\", \"lessThanOrEqual\": \"*\", \"status\": \"unaffected\", \"versionType\": \"original_commit_for_fix\"}]}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e\"}, {\"url\": \"https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c\"}, {\"url\": \"https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c\"}, {\"url\": \"https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557\"}], \"title\": \"scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\", \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-49082\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T18:17:34.716925Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T18:17:36.405Z\"}}]}", cveMetadata: "{\"cveId\": \"CVE-2022-49082\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Linux\", \"dateReserved\": \"2025-02-26T01:49:39.247Z\", \"datePublished\": \"2025-02-26T01:54:42.101Z\", \"dateUpdated\": \"2025-02-27T18:22:35.454Z\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.