CVE-2022-48791

HIGH

Linux Kernel < 5.10.102, 5.11.0-5.15.25, 5.14.0-5.16.11 - Use-After-Free in SCSI PM8001 TMF Abort Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.

References (4)

Core 4

Core References

Patch

https://git.kernel.org/stable/c/d872e7b5fe38f325f5206b6872746fa02c2b4819

Patch

https://git.kernel.org/stable/c/3c334cdfd94945b8edb94022a0371a8665b17366

Patch

https://git.kernel.org/stable/c/510b21442c3a2e3ecc071ba3e666b320e7acdd61

Patch

https://git.kernel.org/stable/c/61f162aa4381845acbdc7f2be4dfb694d027c018

Scores

CVSS v3 7.8

EPSS 0.0024

EPSS Percentile 15.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-416

Status published

Products (17)

linux/Kernel < 5.10.102linux

linux/Kernel 5.11.0 - 5.15.25linux

linux/Kernel 5.14.0 - 5.16.11linux

Linux/Linux < 5.14

Linux/Linux 5.10.102 - 5.10.*

Linux/Linux 5.10.61 - 5.10.102

Linux/Linux 5.13.13 - 5.14

Linux/Linux 5.14

Linux/Linux 5.15.25 - 5.15.*

Linux/Linux 5.16.11 - 5.16.*

... and 7 more

Published Jul 16, 2024

Tracked Since Feb 18, 2026