{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49082","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.247Z","datePublished":"2025-02-26T01:54:42.101Z","dateUpdated":"2025-05-04T08:29:20.299Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:29:20.299Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()\n\nThe function mpt3sas_transport_port_remove() called in\n_scsih_expander_node_remove() frees the port field of the sas_expander\nstructure, leading to the following use-after-free splat from KASAN when\nthe ioc_info() call following that function is executed (e.g. when doing\nrmmod of the driver module):\n\n[ 3479.371167] ==================================================================\n[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531\n[ 3479.393524]\n[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436\n[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021\n[ 3479.409263] Call Trace:\n[ 3479.411743]  <TASK>\n[ 3479.413875]  dump_stack_lvl+0x45/0x59\n[ 3479.417582]  print_address_description.constprop.0+0x1f/0x120\n[ 3479.423389]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.429469]  kasan_report.cold+0x83/0xdf\n[ 3479.433438]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.439514]  _scsih_expander_node_remove+0x710/0x750 [mpt3sas]\n[ 3479.445411]  ? _raw_spin_unlock_irqrestore+0x2d/0x40\n[ 3479.452032]  scsih_remove+0x525/0xc90 [mpt3sas]\n[ 3479.458212]  ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]\n[ 3479.465529]  ? down_write+0xde/0x150\n[ 3479.470746]  ? up_write+0x14d/0x460\n[ 3479.475840]  ? kernfs_find_ns+0x137/0x310\n[ 3479.481438]  pci_device_remove+0x65/0x110\n[ 3479.487013]  __device_release_driver+0x316/0x680\n[ 3479.493180]  driver_detach+0x1ec/0x2d0\n[ 3479.498499]  bus_remove_driver+0xe7/0x2d0\n[ 3479.504081]  pci_unregister_driver+0x26/0x250\n[ 3479.510033]  _mpt3sas_exit+0x2b/0x6cf [mpt3sas]\n[ 3479.516144]  __x64_sys_delete_module+0x2fd/0x510\n[ 3479.522315]  ? free_module+0xaa0/0xaa0\n[ 3479.527593]  ? __cond_resched+0x1c/0x90\n[ 3479.532951]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0\n[ 3479.539607]  ? syscall_enter_from_user_mode+0x21/0x70\n[ 3479.546161]  ? trace_hardirqs_on+0x1c/0x110\n[ 3479.551828]  do_syscall_64+0x35/0x80\n[ 3479.556884]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 3479.563402] RIP: 0033:0x7f1fc482483b\n...\n[ 3479.943087] ==================================================================\n\nFix this by introducing the local variable port_id to store the port ID\nvalue before executing mpt3sas_transport_port_remove(). This local variable\nis then used in the call to ioc_info() instead of dereferencing the freed\nport structure."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/mpt3sas/mpt3sas_scsih.c"],"versions":[{"version":"7d310f241001e090cf1ec0f3ae836b38d8c6ebec","lessThan":"25c1353dca74ad7cf3fd7ce258fe7c957a147d5e","status":"affected","versionType":"git"},{"version":"7d310f241001e090cf1ec0f3ae836b38d8c6ebec","lessThan":"17d66b1c92bcb41e72271ec60069d3684aaa1c9c","status":"affected","versionType":"git"},{"version":"7d310f241001e090cf1ec0f3ae836b38d8c6ebec","lessThan":"1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c","status":"affected","versionType":"git"},{"version":"7d310f241001e090cf1ec0f3ae836b38d8c6ebec","lessThan":"87d663d40801dffc99a5ad3b0188ad3e2b4d1557","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/scsi/mpt3sas/mpt3sas_scsih.c"],"versions":[{"version":"5.11","status":"affected"},{"version":"0","lessThan":"5.11","status":"unaffected","versionType":"semver"},{"version":"5.15.34","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.20","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.3","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.16.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e"},{"url":"https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c"},{"url":"https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c"},{"url":"https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557"}],"title":"scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2022-49082","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-02-27T18:17:34.716925Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-27T18:22:35.454Z"}}]}}