In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Currently a use-after-free may occur if a sastask is aborted by the upper layer before we handle the I/O completion in mpisspcompletion() or mpisata_completion().
In this case, the following are the two steps in handling those I/O completions:
Call complete() to inform the upper layer handler of completion of the I/O.
Release driver resources associated with the sastask in pm8001ccbtaskfree() call.
When complete() is called, the upper layer may free the sastask. As such, we should not touch the associated sastask afterwards, but we do so in the pm8001ccbtask_free() call.
Fix by swapping the complete() and pm8001ccbtask_free() calls ordering.
{ "vanir_signatures": [ { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_ssp_completion" }, "id": "CVE-2022-48792-07114b1c", "digest": { "length": 8485.0, "function_hash": "181164951141330749022125330408808769215" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_sata_completion" }, "id": "CVE-2022-48792-09417a5b", "digest": { "length": 11647.0, "function_hash": "154555163122839701824019358533370597955" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_sata_completion" }, "id": "CVE-2022-48792-0d342357", "digest": { "length": 11647.0, "function_hash": "154555163122839701824019358533370597955" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-1776b2f1", "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_ssp_completion" }, "id": "CVE-2022-48792-3cd4312b", "digest": { "length": 8481.0, "function_hash": "134620071164490238745789422110354428493" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-4f796bbd", "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "149840119810744239441040885499193777990" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_sata_completion" }, "id": "CVE-2022-48792-5c49b949", "digest": { "length": 10878.0, "function_hash": "269311986091498576730544088929196833514" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9ac3eaa2e387a5742b380b73a5a6bc237bf184" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-81581a13", "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_ssp_completion" }, "id": "CVE-2022-48792-bcbb4be1", "digest": { "length": 8485.0, "function_hash": "181164951141330749022125330408808769215" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f61f9fccb2cb4bb275674a79d638704db6bc2171" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_ssp_completion" }, "id": "CVE-2022-48792-c9760aaf", "digest": { "length": 8485.0, "function_hash": "181164951141330749022125330408808769215" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c" }, "id": "CVE-2022-48792-ce448ab0", "digest": { "line_hashes": [ "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "265941287286739992716005024136862414671", "49823865289544512510799210878870909114", "272760697638777120258298242353430034562", "162096990207162266332374346354937003601", "112754260637071320134895297805915526506", "188307920818966523322182446044028858686", "245410448506463586917435625178433182638", "50120533138864035597074834832465820970" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/scsi/pm8001/pm80xx_hwi.c", "function": "mpi_sata_completion" }, "id": "CVE-2022-48792-e82c788a", "digest": { "length": 11503.0, "function_hash": "319179000942512107731453094886101905437" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df7abcaa1246e2537ab4016077b5443bb3c09378" } ] }