cve/published/2022/CVE-2022-49082.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49082: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()

 The function mpt3sas_transport_port_remove() called in
 _scsih_expander_node_remove() frees the port field of the sas_expander
 structure, leading to the following use-after-free splat from KASAN when
 the ioc_info() call following that function is executed (e.g. when doing
 rmmod of the driver module):

 [ 3479.371167] ==================================================================
 [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
 [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531
 [ 3479.393524]
 [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436
 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021
 [ 3479.409263] Call Trace:
 [ 3479.411743]  <TASK>
 [ 3479.413875]  dump_stack_lvl+0x45/0x59
 [ 3479.417582]  print_address_description.constprop.0+0x1f/0x120
 [ 3479.423389]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
 [ 3479.429469]  kasan_report.cold+0x83/0xdf
 [ 3479.433438]  ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
 [ 3479.439514]  _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
 [ 3479.445411]  ? _raw_spin_unlock_irqrestore+0x2d/0x40
 [ 3479.452032]  scsih_remove+0x525/0xc90 [mpt3sas]
 [ 3479.458212]  ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]
 [ 3479.465529]  ? down_write+0xde/0x150
 [ 3479.470746]  ? up_write+0x14d/0x460
 [ 3479.475840]  ? kernfs_find_ns+0x137/0x310
 [ 3479.481438]  pci_device_remove+0x65/0x110
 [ 3479.487013]  __device_release_driver+0x316/0x680
 [ 3479.493180]  driver_detach+0x1ec/0x2d0
 [ 3479.498499]  bus_remove_driver+0xe7/0x2d0
 [ 3479.504081]  pci_unregister_driver+0x26/0x250
 [ 3479.510033]  _mpt3sas_exit+0x2b/0x6cf [mpt3sas]
 [ 3479.516144]  __x64_sys_delete_module+0x2fd/0x510
 [ 3479.522315]  ? free_module+0xaa0/0xaa0
 [ 3479.527593]  ? __cond_resched+0x1c/0x90
 [ 3479.532951]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
 [ 3479.539607]  ? syscall_enter_from_user_mode+0x21/0x70
 [ 3479.546161]  ? trace_hardirqs_on+0x1c/0x110
 [ 3479.551828]  do_syscall_64+0x35/0x80
 [ 3479.556884]  entry_SYSCALL_64_after_hwframe+0x44/0xae
 [ 3479.563402] RIP: 0033:0x7f1fc482483b
 ...
 [ 3479.943087] ==================================================================

 Fix this by introducing the local variable port_id to store the port ID
 value before executing mpt3sas_transport_port_remove(). This local variable
 is then used in the call to ioc_info() instead of dereferencing the freed
 port structure.

 The Linux kernel CVE team has assigned CVE-2022-49082 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.15.34 with commit 25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
 	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.16.20 with commit 17d66b1c92bcb41e72271ec60069d3684aaa1c9c
 	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.17.3 with commit 1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
 	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.18 with commit 87d663d40801dffc99a5ad3b0188ad3e2b4d1557

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49082
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/mpt3sas/mpt3sas_scsih.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
 	https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c
 	https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
 	https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49082: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()

	The function mpt3sas_transport_port_remove() called in
	_scsih_expander_node_remove() frees the port field of the sas_expander
	structure, leading to the following use-after-free splat from KASAN when
	the ioc_info() call following that function is executed (e.g. when doing
	rmmod of the driver module):

	[ 3479.371167] ==================================================================
	[ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
	[ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531
	[ 3479.393524]
	[ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436
	[ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021
	[ 3479.409263] Call Trace:
	[ 3479.411743] <TASK>
	[ 3479.413875] dump_stack_lvl+0x45/0x59
	[ 3479.417582] print_address_description.constprop.0+0x1f/0x120
	[ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
	[ 3479.429469] kasan_report.cold+0x83/0xdf
	[ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
	[ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas]
	[ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40
	[ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas]
	[ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas]
	[ 3479.465529] ? down_write+0xde/0x150
	[ 3479.470746] ? up_write+0x14d/0x460
	[ 3479.475840] ? kernfs_find_ns+0x137/0x310
	[ 3479.481438] pci_device_remove+0x65/0x110
	[ 3479.487013] __device_release_driver+0x316/0x680
	[ 3479.493180] driver_detach+0x1ec/0x2d0
	[ 3479.498499] bus_remove_driver+0xe7/0x2d0
	[ 3479.504081] pci_unregister_driver+0x26/0x250
	[ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas]
	[ 3479.516144] __x64_sys_delete_module+0x2fd/0x510
	[ 3479.522315] ? free_module+0xaa0/0xaa0
	[ 3479.527593] ? __cond_resched+0x1c/0x90
	[ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0
	[ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70
	[ 3479.546161] ? trace_hardirqs_on+0x1c/0x110
	[ 3479.551828] do_syscall_64+0x35/0x80
	[ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae
	[ 3479.563402] RIP: 0033:0x7f1fc482483b
	...
	[ 3479.943087] ==================================================================

	Fix this by introducing the local variable port_id to store the port ID
	value before executing mpt3sas_transport_port_remove(). This local variable
	is then used in the call to ioc_info() instead of dereferencing the freed
	port structure.

	The Linux kernel CVE team has assigned CVE-2022-49082 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.15.34 with commit 25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.16.20 with commit 17d66b1c92bcb41e72271ec60069d3684aaa1c9c
	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.17.3 with commit 1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
	Issue introduced in 5.11 with commit 7d310f241001e090cf1ec0f3ae836b38d8c6ebec and fixed in 5.18 with commit 87d663d40801dffc99a5ad3b0188ad3e2b4d1557

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49082
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/mpt3sas/mpt3sas_scsih.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
	https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c
	https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
	https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557