Bug 2400826 (CVE-2022-50422) - CVE-2022-50422 kernel: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
Summary: CVE-2022-50422 kernel: scsi: libsas: Fix use-after-free bug in smp_execute_ta...
Keywords:
Status: NEW
Alias: CVE-2022-50422
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-01 12:09 UTC by OSIDB Bzimport
Modified: 2025-10-06 17:41 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-01 12:09:33 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()

When executing SMP task failed, the smp_execute_task_sg() calls del_timer()
to delete "slow_task->timer". However, if the timer handler
sas_task_internal_timedout() is running, the del_timer() in
smp_execute_task_sg() will not stop it and a UAF will happen. The process
is shown below:

      (thread 1)               |        (thread 2)
smp_execute_task_sg()          | sas_task_internal_timedout()
 ...                           |
 del_timer()                   |
 ...                           |  ...
 sas_free_task(task)           |
  kfree(task->slow_task) //FREE|
                               |  task->slow_task->... //USE

Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure
the timer handler have finished before the "task->slow_task" is
deallocated.
Comment 1 Jon Moroney 2025-10-01 17:16:23 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025100155-CVE-2022-50422-287b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.