CVE-2022-49082

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49082
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49082.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49082
Downstream
Related
Published
2025-02-26T01:54:42Z
Modified
2025-10-15T18:48:43.713171Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix use after free in scsihexpandernoderemove()

The function mpt3sastransportportremove() called in _scsihexpandernoderemove() frees the port field of the sasexpander structure, leading to the following use-after-free splat from KASAN when the iocinfo() call following that function is executed (e.g. when doing rmmod of the driver module):

[ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dumpstacklvl+0x45/0x59 [ 3479.417582] printaddressdescription.constprop.0+0x1f/0x120 [ 3479.423389] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.429469] kasanreport.cold+0x83/0xdf [ 3479.433438] ? _scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.439514] scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.445411] ? rawspinunlockirqrestore+0x2d/0x40 [ 3479.452032] scsihremove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sasexpanderremove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? downwrite+0xde/0x150 [ 3479.470746] ? upwrite+0x14d/0x460 [ 3479.475840] ? kernfsfindns+0x137/0x310 [ 3479.481438] pcideviceremove+0x65/0x110 [ 3479.487013] _devicereleasedriver+0x316/0x680 [ 3479.493180] driverdetach+0x1ec/0x2d0 [ 3479.498499] busremovedriver+0xe7/0x2d0 [ 3479.504081] pciunregisterdriver+0x26/0x250 [ 3479.510033] _mpt3sasexit+0x2b/0x6cf [mpt3sas] [ 3479.516144] _x64sysdeletemodule+0x2fd/0x510 [ 3479.522315] ? freemodule+0xaa0/0xaa0 [ 3479.527593] ? _condresched+0x1c/0x90 [ 3479.532951] ? lockdephardirqsonprepare+0x273/0x3e0 [ 3479.539607] ? syscallenterfromusermode+0x21/0x70 [ 3479.546161] ? tracehardirqson+0x1c/0x110 [ 3479.551828] dosyscall64+0x35/0x80 [ 3479.556884] entrySYSCALL64afterhwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ==================================================================

Fix this by introducing the local variable portid to store the port ID value before executing mpt3sastransportportremove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d310f241001e090cf1ec0f3ae836b38d8c6ebec
Fixed
25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d310f241001e090cf1ec0f3ae836b38d8c6ebec
Fixed
17d66b1c92bcb41e72271ec60069d3684aaa1c9c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d310f241001e090cf1ec0f3ae836b38d8c6ebec
Fixed
1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d310f241001e090cf1ec0f3ae836b38d8c6ebec
Fixed
87d663d40801dffc99a5ad3b0188ad3e2b4d1557

Affected versions

v5.*

v5.10
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.19
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
v5.17.2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.34
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.20
Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.3