cve/published/2022/CVE-2022-48666.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48666: scsi: core: Fix a use-after-free

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: core: Fix a use-after-free

 There are two .exit_cmd_priv implementations. Both implementations use
 resources associated with the SCSI host. Make sure that these resources are
 still available when .exit_cmd_priv is called by waiting inside
 scsi_remove_host() until the tag set has been freed.

 This commit fixes the following use-after-free:

 ==================================================================
 BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
 Read of size 8 at addr ffff888100337000 by task multipathd/16727
 Call Trace:
  <TASK>
  dump_stack_lvl+0x34/0x44
  print_report.cold+0x5e/0x5db
  kasan_report+0xab/0x120
  srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
  scsi_mq_exit_request+0x4d/0x70
  blk_mq_free_rqs+0x143/0x410
  __blk_mq_free_map_and_rqs+0x6e/0x100
  blk_mq_free_tag_set+0x2b/0x160
  scsi_host_dev_release+0xf3/0x1a0
  device_release+0x54/0xe0
  kobject_put+0xa5/0x120
  device_release+0x54/0xe0
  kobject_put+0xa5/0x120
  scsi_device_dev_release_usercontext+0x4c1/0x4e0
  execute_in_process_context+0x23/0x90
  device_release+0x54/0xe0
  kobject_put+0xa5/0x120
  scsi_disk_release+0x3f/0x50
  device_release+0x54/0xe0
  kobject_put+0xa5/0x120
  disk_release+0x17f/0x1b0
  device_release+0x54/0xe0
  kobject_put+0xa5/0x120
  dm_put_table_device+0xa3/0x160 [dm_mod]
  dm_put_device+0xd0/0x140 [dm_mod]
  free_priority_group+0xd8/0x110 [dm_multipath]
  free_multipath+0x94/0xe0 [dm_multipath]
  dm_table_destroy+0xa2/0x1e0 [dm_mod]
  __dm_destroy+0x196/0x350 [dm_mod]
  dev_remove+0x10c/0x160 [dm_mod]
  ctl_ioctl+0x2c2/0x590 [dm_mod]
  dm_ctl_ioctl+0x5/0x10 [dm_mod]
  __x64_sys_ioctl+0xb4/0xf0
  dm_ctl_ioctl+0x5/0x10 [dm_mod]
  __x64_sys_ioctl+0xb4/0xf0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x46/0xb0

 The Linux kernel CVE team has assigned CVE-2022-48666 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.10.223 with commit 5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
 	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.15.164 with commit f818708eeeae793e12dc39f8984ed7732048a7d9
 	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.19.12 with commit 2e7eb4c1e8af8385de22775bd0be552f59b28c9a
 	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 6.0 with commit 8fe4ce5836e932f5766317cb651c1ff2a4cd0506

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48666
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/hosts.c
 	drivers/scsi/scsi_lib.c
 	drivers/scsi/scsi_priv.h
 	drivers/scsi/scsi_scan.c
 	drivers/scsi/scsi_sysfs.c
 	include/scsi/scsi_host.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
 	https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9
 	https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
 	https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48666: scsi: core: Fix a use-after-free

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: core: Fix a use-after-free

	There are two .exit_cmd_priv implementations. Both implementations use
	resources associated with the SCSI host. Make sure that these resources are
	still available when .exit_cmd_priv is called by waiting inside
	scsi_remove_host() until the tag set has been freed.

	This commit fixes the following use-after-free:

	==================================================================
	BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
	Read of size 8 at addr ffff888100337000 by task multipathd/16727
	Call Trace:
	<TASK>
	dump_stack_lvl+0x34/0x44
	print_report.cold+0x5e/0x5db
	kasan_report+0xab/0x120
	srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
	scsi_mq_exit_request+0x4d/0x70
	blk_mq_free_rqs+0x143/0x410
	__blk_mq_free_map_and_rqs+0x6e/0x100
	blk_mq_free_tag_set+0x2b/0x160
	scsi_host_dev_release+0xf3/0x1a0
	device_release+0x54/0xe0
	kobject_put+0xa5/0x120
	device_release+0x54/0xe0
	kobject_put+0xa5/0x120
	scsi_device_dev_release_usercontext+0x4c1/0x4e0
	execute_in_process_context+0x23/0x90
	device_release+0x54/0xe0
	kobject_put+0xa5/0x120
	scsi_disk_release+0x3f/0x50
	device_release+0x54/0xe0
	kobject_put+0xa5/0x120
	disk_release+0x17f/0x1b0
	device_release+0x54/0xe0
	kobject_put+0xa5/0x120
	dm_put_table_device+0xa3/0x160 [dm_mod]
	dm_put_device+0xd0/0x140 [dm_mod]
	free_priority_group+0xd8/0x110 [dm_multipath]
	free_multipath+0x94/0xe0 [dm_multipath]
	dm_table_destroy+0xa2/0x1e0 [dm_mod]
	__dm_destroy+0x196/0x350 [dm_mod]
	dev_remove+0x10c/0x160 [dm_mod]
	ctl_ioctl+0x2c2/0x590 [dm_mod]
	dm_ctl_ioctl+0x5/0x10 [dm_mod]
	__x64_sys_ioctl+0xb4/0xf0
	dm_ctl_ioctl+0x5/0x10 [dm_mod]
	__x64_sys_ioctl+0xb4/0xf0
	do_syscall_64+0x3b/0x90
	entry_SYSCALL_64_after_hwframe+0x46/0xb0

	The Linux kernel CVE team has assigned CVE-2022-48666 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.10.223 with commit 5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.15.164 with commit f818708eeeae793e12dc39f8984ed7732048a7d9
	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 5.19.12 with commit 2e7eb4c1e8af8385de22775bd0be552f59b28c9a
	Issue introduced in 5.7 with commit 65ca846a53149a1a72cd8d02e7b2e73dd545b834 and fixed in 6.0 with commit 8fe4ce5836e932f5766317cb651c1ff2a4cd0506

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48666
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/hosts.c
	drivers/scsi/scsi_lib.c
	drivers/scsi/scsi_priv.h
	drivers/scsi/scsi_scan.c
	drivers/scsi/scsi_sysfs.c
	include/scsi/scsi_host.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5ce8fad941233e81f2afb5b52a3fcddd3ba8732f
	https://git.kernel.org/stable/c/f818708eeeae793e12dc39f8984ed7732048a7d9
	https://git.kernel.org/stable/c/2e7eb4c1e8af8385de22775bd0be552f59b28c9a
	https://git.kernel.org/stable/c/8fe4ce5836e932f5766317cb651c1ff2a4cd0506