CVE-2022-49082

High

Published: 26 February 2025

Published

26 February 2025

Modified

25 March 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove() The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] ================================================================== [ 3479.378496] BUG: KASAN: use-after-free in _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.386936] Read of size 1 at addr ffff8881c037691c by task rmmod/1531 [ 3479.393524] [ 3479.395035] CPU: 18 PID: 1531 Comm: rmmod Not tainted 5.17.0-rc8+ #1436 [ 3479.401712] Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.1 06/02/2021 [ 3479.409263] Call Trace: [ 3479.411743] <TASK> [ 3479.413875] dump_stack_lvl+0x45/0x59 [ 3479.417582] print_address_description.constprop.0+0x1f/0x120 [ 3479.423389] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.429469] kasan_report.cold+0x83/0xdf [ 3479.433438] ? _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.439514] _scsih_expander_node_remove+0x710/0x750 [mpt3sas] [ 3479.445411] ? _raw_spin_unlock_irqrestore+0x2d/0x40 [ 3479.452032] scsih_remove+0x525/0xc90 [mpt3sas] [ 3479.458212] ? mpt3sas_expander_remove+0x1d0/0x1d0 [mpt3sas] [ 3479.465529] ? down_write+0xde/0x150 [ 3479.470746] ? up_write+0x14d/0x460 [ 3479.475840] ? kernfs_find_ns+0x137/0x310 [ 3479.481438] pci_device_remove+0x65/0x110 [ 3479.487013] __device_release_driver+0x316/0x680 [ 3479.493180] driver_detach+0x1ec/0x2d0 [ 3479.498499] bus_remove_driver+0xe7/0x2d0 [ 3479.504081] pci_unregister_driver+0x26/0x250 [ 3479.510033] _mpt3sas_exit+0x2b/0x6cf [mpt3sas] [ 3479.516144] __x64_sys_delete_module+0x2fd/0x510 [ 3479.522315] ? free_module+0xaa0/0xaa0 [ 3479.527593] ? __cond_resched+0x1c/0x90 [ 3479.532951] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 [ 3479.539607] ? syscall_enter_from_user_mode+0x21/0x70 [ 3479.546161] ? trace_hardirqs_on+0x1c/0x110 [ 3479.551828] do_syscall_64+0x35/0x80 [ 3479.556884] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 3479.563402] RIP: 0033:0x7f1fc482483b ... [ 3479.943087] ================================================================== Fix this by introducing the local variable port_id to store the port ID value before executing mpt3sas_transport_port_remove(). This local variable is then used in the call to ioc_info() instead of dereferencing the freed port structure.

Security Summary

CVE-2022-49082 is a use-after-free vulnerability in the Linux kernel's mpt3sas SCSI driver, specifically within the _scsih_expander_node_remove() function. The issue arises when mpt3sas_transport_port_remove() frees the port field of the sas_expander structure, but a subsequent ioc_info() call attempts to access it, triggering a KASAN-detected use-after-free during operations like driver module removal (rmmod). This affects Linux kernels incorporating the vulnerable mpt3sas driver code, with the flaw documented under CWE-416 and assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by triggering the affected code path, such as during removal of the mpt3sas driver module. Successful exploitation of the use-after-free could allow arbitrary read/write access to kernel memory, potentially leading to privilege escalation, denial of service via system crash, or execution of arbitrary code in kernel context, as indicated by the high impact ratings across confidentiality, integrity, and availability.

Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: notably, commits 17d66b1c92bcb41e72271ec60069d3684aaa1c9c, 1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c, 25c1353dca74ad7cf3fd7ce258fe7c957a147d5e, and 87d663d40801dffc99a5ad3b0188ad3e2b4d1557. These patches introduce a local port_id variable to store the port ID before freeing the structure, preventing the invalid dereference in ioc_info(). Security practitioners should ensure systems with mpt3sas hardware (e.g., LSI/Avago controllers) update to patched kernels.

Details

CWE(s): CWE-416

Affected Products

linux

linux kernel

5.18 · 5.11 — 5.15.34 · 5.16 — 5.16.20 · 5.17 — 5.17.3

References

https://git.kernel.org/stable/c/17d66b1c92bcb41e72271ec60069d3684aaa1c9c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/1bb8a7fc64d63ec818e367e1b37676ea2ef2d20c
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/25c1353dca74ad7cf3fd7ce258fe7c957a147d5e
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/87d663d40801dffc99a5ad3b0188ad3e2b4d1557
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67