2298127 – (CVE-2022-48791) CVE-2022-48791 kernel: scsi: pm8001: Fix use-after-free for aborted TMF sas_task

Bug 2298127 (CVE-2022-48791) - CVE-2022-48791 kernel: scsi: pm8001: Fix use-after-free for aborted TMF sas_task

Summary: CVE-2022-48791 kernel: scsi: pm8001: Fix use-after-free for aborted TMF sas_task

Keywords:
Status:	NEW
Alias:	CVE-2022-48791
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 12:26 UTC by OSIDB Bzimport
Modified:	2024-09-24 13:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 5.10.102, kernel 5.15.25, kernel 5.16.11, kernel 5.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-16 12:26:04 UTC

In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free for aborted TMF sas_task

Currently a use-after-free may occur if a TMF sas_task is aborted before we
handle the IO completion in mpi_ssp_completion(). The abort occurs due to
timeout.

When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the
sas_task is freed in pm8001_exec_internal_tmf_task().

However, if the I/O completion occurs later, the I/O completion still
thinks that the sas_task is available. Fix this by clearing the ccb->task
if the TMF times out - the I/O completion handler does nothing if this
pointer is cleared.

Note You need to log in before you can comment on or make changes to this bug.