CVE-2022-49082

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49082
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49082.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49082
Downstream
Related
Published
2025-02-26T01:54:42.101Z
Modified
2026-03-12T03:24:35.227850Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: mpt3sas: Fix use after free in scsihexpandernoderemove()

The function mpt3sastransportportremove() called in scsihexpandernoderemove() frees the port field of the sasexpander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module):

[ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dumpstacklvl+0x45/0x59 [ 3479.417582] printaddressdescription.constprop.0+0x1f/0x120 [ 3479.423389] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.429469] kasanreport.cold+0x83/0xdf [ 3479.433438] ? scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.439514] scsihexpandernoderemove+0x710/0x750 [mpt3sas] [ 3479.445411] ? rawspinunlockirqrestore+0x2d/0x40 [ 3479.452032] scsihremove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sasexpanderremove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? downwrite+0xde/0x150 [ 3479.470746] ? upwrite+0x14d/0x460 [ 3479.475840] ? kernfsfindns+0x137/0x310 [ 3479.481438] pcideviceremove+0x65/0x110 [ 3479.487013] __devicereleasedriver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] busremovedriver+0xe7/0x2d0 [ 3479.504081] pciunregisterdriver+0x26/0x250 [ 3479.510033] mpt3sasexit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64sysdeletemodule+0x2fd/0x510 [ 3479.522315] ? freemodule+0xaa0/0xaa0 [ 3479.527593] ? __condresched+0x1c/0x90 [ 3479.532951] ? lockdephardirqsonprepare+0x273/0x3e0 [ 3479.539607] ? syscallenterfromusermode+0x21/0x70 [ 3479.546161] ? tracehardirqson+0x1c/0x110 [ 3479.551828] dosyscall64+0x35/0x80 [ 3479.556884] entrySYSCALL64afterhwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ==================================================================

Fix this by introducing the local variable portid to store the port ID value before executing mpt3sastransportportremove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49082.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d310f241001e090cf1ec0f3ae836b38d8c6ebec
Fixed
25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
Fixed
17d66b1c92bcb41e72271ec60069d3684aaa1c9c
Fixed
1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
Fixed
87d663d40801dffc99a5ad3b0188ad3e2b4d1557

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49082.json"