ghsa-frc7-r8x5-7jq8
Vulnerability from github
Published
2025-02-27 21:32
Modified
2025-02-27 21:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()

The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module):

[ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ==================================================================

Fix this by introducing the local variable port_id to store the port ID value before executing mpt3sas_transport_port_remove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2022-49082",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-416",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2025-02-26T07:00:45Z",
      severity: "HIGH",
   },
   details: "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\n\nThe function mpt3sas_transport_port_remove() called in\n_scsih_expander_node_remove() frees the port field of the sas_expander\nstructure, leading to the following use-after-free splat from KASAN when\nthe ioc_info() call following that function is executed (e.g. when doing\nrmmod of the driver module):\n\n[ 3479.371167] ==================================================================\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\n[ 3479.393524]\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\n[ 3479.409263] Call Trace:\n[ 3479.411743]  <TASK>\n[ 3479.413875]  dump_stack_lvl+0x45/0x59\n[ 3479.417582]  print_address_description.constprop.0+0x1f/0x120\n[ 3479.423389]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.429469]  kasan_report.cold+0x83/0xdf\n[ 3479.433438]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.439514]  _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.445411]  ? _raw_spin_unlock_irqrestore+0x2d/0x40\n[ 3479.452032]  scsih_remove+0x525/0xc90 [mpt3sas]\n[ 3479.458212]  ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\n[ 3479.465529]  ? down_write+0xde/0x150\n[ 3479.470746]  ? up_write+0x14d/0x460\n[ 3479.475840]  ? kernfs_find_ns+0x137/0x310\n[ 3479.481438]  pci_device_remove+0x65/0x110\n[ 3479.487013]  __device_release_driver+0x316/0x680\n[ 3479.493180]  driver_detach+0x1ec/0x2d0\n[ 3479.498499]  bus_remove_driver+0xe7/0x2d0\n[ 3479.504081]  pci_unregister_driver+0x26/0x250\n[ 3479.510033]  _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\n[ 3479.516144]  __x64_sys_delete_module+0x2fd/0x510\n[ 3479.522315]  ? free_module+0xaa0/0xaa0\n[ 3479.527593]  ? __cond_resched+0x1c/0x90\n[ 3479.532951]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 3479.539607]  ? syscall_enter_from_user_mode+0x21/0x70\n[ 3479.546161]  ? trace_hardirqs_on+0x1c/0x110\n[ 3479.551828]  do_syscall_64+0x35/0x80\n[ 3479.556884]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\n...\n[ 3479.943087] ==================================================================\n\nFix this by introducing the local variable port_id to store the port ID\nvalue before executing mpt3sas_transport_port_remove(). This local variable\nis then used in the call to ioc_info() instead of dereferencing the freed\nport structure.",
   id: "GHSA-frc7-r8x5-7jq8",
   modified: "2025-02-27T21:32:11Z",
   published: "2025-02-27T21:32:11Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-49082",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e",
      },
      {
         type: "WEB",
         url: "https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.