In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Currently a use-after-free may occur if a sastask is aborted by the upper layer before we handle the I/O completion in mpisspcompletion() or mpisata_completion().
In this case, the following are the two steps in handling those I/O completions:
Call complete() to inform the upper layer handler of completion of the I/O.
Release driver resources associated with the sastask in pm8001ccbtaskfree() call.
When complete() is called, the upper layer may free the sastask. As such, we should not touch the associated sastask afterwards, but we do so in the pm8001ccbtask_free() call.
Fix by swapping the complete() and pm8001ccbtask_free() calls ordering.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2", "target": { "function": "mpi_ssp_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-07114b1c", "deprecated": false, "digest": { "function_hash": "181164951141330749022125330408808769215", "length": 8485.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2", "target": { "function": "mpi_sata_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-09417a5b", "deprecated": false, "digest": { "function_hash": "154555163122839701824019358533370597955", "length": 11647.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171", "target": { "function": "mpi_sata_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-0d342357", "deprecated": false, "digest": { "function_hash": "154555163122839701824019358533370597955", "length": 11647.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-1776b2f1", "deprecated": false, "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184", "target": { "function": "mpi_ssp_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-3cd4312b", "deprecated": false, "digest": { "function_hash": "134620071164490238745789422110354428493", "length": 8481.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-4f796bbd", "deprecated": false, "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "149840119810744239441040885499193777990" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184", "target": { "function": "mpi_sata_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-5c49b949", "deprecated": false, "digest": { "function_hash": "269311986091498576730544088929196833514", "length": 10878.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-81581a13", "deprecated": false, "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171", "target": { "function": "mpi_ssp_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-bcbb4be1", "deprecated": false, "digest": { "function_hash": "181164951141330749022125330408808769215", "length": 8485.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378", "target": { "function": "mpi_ssp_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-c9760aaf", "deprecated": false, "digest": { "function_hash": "181164951141330749022125330408808769215", "length": 8485.0 }, "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-ce448ab0", "deprecated": false, "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378", "target": { "function": "mpi_sata_completion", "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-e82c788a", "deprecated": false, "digest": { "function_hash": "319179000942512107731453094886101905437", "length": 11503.0 }, "signature_version": "v1", "signature_type": "Function" } ]