{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48666","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-25T13:44:28.320Z","datePublished":"2024-04-28T13:01:50.526Z","dateUpdated":"2025-05-04T08:20:52.498Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:20:52.498Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix a use-after-free\n\nThere are two .exit_cmd_priv implementations. Both implementations use\nresources associated with the SCSI host. Make sure that these resources are\nstill available when .exit_cmd_priv is called by waiting inside\nscsi_remove_host() until the tag set has been freed.\n\nThis commit fixes the following use-after-free:\n\n==================================================================\nBUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\nRead of size 8 at addr ffff888100337000 by task multipathd/16727\nCall Trace:\n <TASK>\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n kasan_report+0xab/0x120\n srp_exit_cmd_priv+0x27/0xd0 [ib_srp]\n scsi_mq_exit_request+0x4d/0x70\n blk_mq_free_rqs+0x143/0x410\n __blk_mq_free_map_and_rqs+0x6e/0x100\n blk_mq_free_tag_set+0x2b/0x160\n scsi_host_dev_release+0xf3/0x1a0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_device_dev_release_usercontext+0x4c1/0x4e0\n execute_in_process_context+0x23/0x90\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n scsi_disk_release+0x3f/0x50\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n disk_release+0x17f/0x1b0\n device_release+0x54/0xe0\n kobject_put+0xa5/0x120\n dm_put_table_device+0xa3/0x160 [dm_mod]\n dm_put_device+0xd0/0x140 [dm_mod]\n free_priority_group+0xd8/0x110 [dm_multipath]\n free_multipath+0x94/0xe0 [dm_multipath]\n dm_table_destroy+0xa2/0x1e0 [dm_mod]\n __dm_destroy+0x196/0x350 [dm_mod]\n dev_remove+0x10c/0x160 [dm_mod]\n ctl_ioctl+0x2c2/0x590 [dm_mod]\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n dm_ctl_ioctl+0x5/0x10 [dm_mod]\n __x64_sys_ioctl+0xb4/0xf0\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/hosts.c","drivers/scsi/scsi_lib.c","drivers/scsi/scsi_priv.h","drivers/scsi/scsi_scan.c","drivers/scsi/scsi_sysfs.c","include/scsi/scsi_host.h"],"versions":[{"version":"65ca846a53149a1a72cd8d02e7b2e73dd545b834","lessThan":"5ce8fad941233e81f2afb5b52a3fcddd3ba8732f","status":"affected","versionType":"git"},{"version":"65ca846a53149a1a72cd8d02e7b2e73dd545b834","lessThan":"f818708eeeae793e12dc39f8984ed7732048a7d9","status":"affected","versionType":"git"},{"version":"65ca846a53149a1a72cd8d02e7b2e73dd545b834","lessThan":"2e7eb4c1e8af8385de22775bd0be552f59b28c9a","status":"affected","versionType":"git"},{"version":"65ca846a53149a1a72cd8d02e7b2e73dd545b834","lessThan":"8fe4ce5836e932f5766317cb651c1ff2a4cd0506","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/hosts.c","drivers/scsi/scsi_lib.c","drivers/scsi/scsi_priv.h","drivers/scsi/scsi_scan.c","drivers/scsi/scsi_sysfs.c","include/scsi/scsi_host.h"],"versions":[{"version":"5.7","status":"affected"},{"version":"0","lessThan":"5.7","status":"unaffected","versionType":"semver"},{"version":"5.10.223","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.164","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.12","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.10.223"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.15.164"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"5.19.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.7","versionEndExcluding":"6.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f"},{"url":"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9"},{"url":"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a"},{"url":"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506"}],"title":"scsi: core: Fix a use-after-free","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.4,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-48666","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-04-29T13:16:40.985574Z"}}}],"affected":[{"cpes":["cpe:2.3:o:linux:linux_kernel:5.7:*:*:*:*:*:*:*"],"vendor":"linux","product":"linux_kernel","versions":[{"status":"affected","version":"5.7"}],"defaultStatus":"unknown"},{"cpes":["cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"],"vendor":"linux","product":"linux_kernel","versions":[{"status":"affected","version":"65ca846a5314","lessThan":"2e7eb4c1e8af","versionType":"custom"}],"defaultStatus":"unknown"}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:16:47.878Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:17:55.718Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506","tags":["x_transferred"]}]}]}}