CVE-2022-49376
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49376
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49376.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49376
- Related
- Published
- 2025-02-26T07:01:14Z
- Modified
- 2025-02-26T19:03:19.829249Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: sd: Fix potential NULL pointer dereference
If sdprobe() sees an early error before sdkp->device is initialized, sdzbcreleasedisk() is called. This causes a NULL pointer dereference when sdiszoned() is called inside that function. Avoid this by removing the call to sdzbcreleasedisk() in sdprobe() error path.
This change is safe and does not result in zone information memory leakage because the zone information for a zoned disk is allocated only when sdrevalidatedisk() is called, at which point sdkp->diskdev is fully set, resulting in sddiskrelease() being called when needed to cleanup a disk zone information using sdzbcreleasedisk().
- References
-
- https://git.kernel.org/stable/c/05fbde3a77a4f1d62e4c4428f384288c1f1a0be5
- https://git.kernel.org/stable/c/0fcb0b131cc90c8f523a293d84c58d0c7273c96f
- https://git.kernel.org/stable/c/3733439593ad12f7b54ae35c273ea6f15d692de3
- https://git.kernel.org/stable/c/78f8e96df06e2d04d82d4071c299b59d28744f47
- https://git.kernel.org/stable/c/c1f0187025905e9981000d44a92e159468b561a8
- https://security-tracker.debian.org/tracker/CVE-2022-49376
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.127-1
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source