CVE-2022-49703
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49703
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49703.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49703
- Downstream
- Related
- Published
- 2025-02-26T02:24:22Z
- Modified
- 2025-10-13T18:54:26.151514Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- scsi: ibmvfc: Store vhost pointer during subcrq allocation
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Store vhost pointer during subcrq allocation
Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs.
This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfcinterruptscsi().
Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfcinterruptscsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] _handleirqeventpercpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] _handleirqeventpercpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handleirqevent+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handlefasteoiirq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generichandleirq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] _doirq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] _doIRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] doIRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replaysoftinterrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] archlocalirqrestore+0x108/0x170 [c000000014623240] [c000000008eb1008] rawspinunlockirqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] _setupirq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] requestthreadedirq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfcregisterscsichannel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfcinitsubcrqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfcresetcrq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfcinitcrq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3034ebe26389740bb6b4a463e05afb51dc93c336Fixed8540f66196ca35b7b5e902932571c18b9fde0cd1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3034ebe26389740bb6b4a463e05afb51dc93c336Fixed6d38e3b614ded59da8b95377a98df969a5a5627a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3034ebe26389740bb6b4a463e05afb51dc93c336Fixedaeaadcde1a60138bceb65de3cdaeec78170b4459
Affected versions
v5.*
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"id": "CVE-2022-49703-04fcda7d",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"id": "CVE-2022-49703-450985aa",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"id": "CVE-2022-49703-5471195a",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"signature_version": "v1",
"digest": {
"length": 1307.0,
"function_hash": "148871805000621335431882457718271316623"
},
"id": "CVE-2022-49703-72101850",
"deprecated": false,
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"signature_version": "v1",
"digest": {
"length": 1307.0,
"function_hash": "148871805000621335431882457718271316623"
},
"id": "CVE-2022-49703-9ad6763c",
"deprecated": false,
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"signature_version": "v1",
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"id": "CVE-2022-49703-9e4c2a5f",
"deprecated": false,
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"signature_version": "v1",
"digest": {
"length": 1209.0,
"function_hash": "210455993974002269897724784868874891858"
},
"id": "CVE-2022-49703-9e5a15df",
"deprecated": false,
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"id": "CVE-2022-49703-ba46b44e",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"id": "CVE-2022-49703-d50ad1f0",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"signature_version": "v1",
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"id": "CVE-2022-49703-e7f2a216",
"deprecated": false,
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"id": "CVE-2022-49703-efb3a8b8",
"deprecated": false,
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"signature_version": "v1",
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"id": "CVE-2022-49703-fdd9374f",
"deprecated": false,
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
}
]
}