CVE-2022-48791

Currently a use-after-free may occur if a TMF sastask is aborted before we handle the IO completion in mpissp_completion(). The abort occurs due to timeout.

When the timeout occurs, the SASTASKSTATEABORTED flag is set and the sastask is freed in pm8001execinternaltmftask().

However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48791.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

968ee9176a4489ce6d5ee54ff88dadfbff9b95f4

Fixed

d872e7b5fe38f325f5206b6872746fa02c2b4819

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d712d3fb484b7fa8d1d57e9ca6f134bb9d8c18b1

Fixed

3c334cdfd94945b8edb94022a0371a8665b17366

Fixed

510b21442c3a2e3ecc071ba3e666b320e7acdd61

Fixed

61f162aa4381845acbdc7f2be4dfb694d027c018

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

fa3c19ceaa8b4b7c29d710c2c407df57d256a6c5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48791.json"