CVE-2022-49703
- Source
- https://cve.org/CVERecord?id=CVE-2022-49703
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49703.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49703
- Downstream
- Related
- Published
- 2025-02-26T02:24:22.700Z
- Modified
- 2026-03-12T03:25:36.213812Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- scsi: ibmvfc: Store vhost pointer during subcrq allocation
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Store vhost pointer during subcrq allocation
Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs.
This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfcinterruptscsi().
Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfcinterruptscsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] __handleirqevent_percpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] __handleirqevent_percpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handleirqevent+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handlefasteoiirq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generichandleirq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] __doIRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] doIRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replaysoftinterrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] arch_localirqrestore+0x108/0x170 [c000000014623240] [c000000008eb1008] rawspinunlockirqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] __setupirq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] requestthreadedirq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfcregisterscsichannel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfcinitsubcrqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfcresetcrq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfcinitcrq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfcprobe+0x2a4/0x530 [ibmvfc]
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49703.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/6d38e3b614ded59da8b95377a98df969a5a5627a
- https://git.kernel.org/stable/c/8540f66196ca35b7b5e902932571c18b9fde0cd1
- https://git.kernel.org/stable/c/aeaadcde1a60138bceb65de3cdaeec78170b4459
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49703.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49703