CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
16.1%
In the Linux kernel, the following vulnerability has been resolved: scsi:
core: Fix a use-after-free There are two .exit_cmd_priv implementations.
Both implementations use resources associated with the SCSI host. Make sure
that these resources are still available when .exit_cmd_priv is called by
waiting inside scsi_remove_host() until the tag set has been freed. This
commit fixes the following use-after-free:
================================================================== BUG:
KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp] Read of size
8 at addr ffff888100337000 by task multipathd/16727 Call Trace: <TASK>
dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db
kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70 blk_mq_free_rqs+0x143/0x410
__blk_mq_free_map_and_rqs+0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160
scsi_host_dev_release+0xf3/0x1a0 device_release+0x54/0xe0
kobject_put+0xa5/0x120 device_release+0x54/0xe0 kobject_put+0xa5/0x120
scsi_device_dev_release_usercontext+0x4c1/0x4e0
execute_in_process_context+0x23/0x90 device_release+0x54/0xe0
kobject_put+0xa5/0x120 scsi_disk_release+0x3f/0x50 device_release+0x54/0xe0
kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 device_release+0x54/0xe0
kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod]
dm_put_device+0xd0/0x140 [dm_mod] free_priority_group+0xd8/0x110
[dm_multipath] free_multipath+0x94/0xe0 [dm_multipath]
dm_table_destroy+0xa2/0x1e0 [dm_mod] __dm_destroy+0x196/0x350 [dm_mod]
dev_remove+0x10c/0x160 [dm_mod] ctl_ioctl+0x2c2/0x590 [dm_mod]
dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0
dm_ctl_ioctl+0x5/0x10 [dm_mod] __x64_sys_ioctl+0xb4/0xf0
do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp-5.15 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gke | < any | UNKNOWN |
git.kernel.org/linus/8fe4ce5836e932f5766317cb651c1ff2a4cd0506 (6.0-rc5)
git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
launchpad.net/bugs/cve/CVE-2022-48666
nvd.nist.gov/vuln/detail/CVE-2022-48666
security-tracker.debian.org/tracker/CVE-2022-48666
www.cve.org/CVERecord?id=CVE-2022-48666