CVE-2022-49703
- Source
- https://cve.org/CVERecord?id=CVE-2022-49703
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49703.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49703
- Downstream
- Related
- Published
- 2025-02-26T02:24:22.700Z
- Modified
- 2026-03-11T06:46:22.462850Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- scsi: ibmvfc: Store vhost pointer during subcrq allocation
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
scsi: ibmvfc: Store vhost pointer during subcrq allocation
Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs.
This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfcinterruptscsi().
Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfcinterruptscsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] __handleirqevent_percpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] __handleirqevent_percpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handleirqevent+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handlefasteoiirq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generichandleirq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] __do_irq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] __doIRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] doIRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replaysoftinterrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] arch_localirqrestore+0x108/0x170 [c000000014623240] [c000000008eb1008] rawspinunlockirqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] __setupirq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] requestthreadedirq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfcregisterscsichannel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfcinitsubcrqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfcresetcrq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfcinitcrq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfcprobe+0x2a4/0x530 [ibmvfc]
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49703.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/6d38e3b614ded59da8b95377a98df969a5a5627a
- https://git.kernel.org/stable/c/8540f66196ca35b7b5e902932571c18b9fde0cd1
- https://git.kernel.org/stable/c/aeaadcde1a60138bceb65de3cdaeec78170b4459
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49703.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49703
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3034ebe26389740bb6b4a463e05afb51dc93c336Fixed8540f66196ca35b7b5e902932571c18b9fde0cd1Fixed6d38e3b614ded59da8b95377a98df969a5a5627aFixedaeaadcde1a60138bceb65de3cdaeec78170b4459
Affected versions
v5.*
v5.11
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.19-rc1
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-04fcda7d",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-450985aa",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-5471195a",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"digest": {
"length": 1307.0,
"function_hash": "148871805000621335431882457718271316623"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-72101850",
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"digest": {
"length": 1307.0,
"function_hash": "148871805000621335431882457718271316623"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-9ad6763c",
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-9e4c2a5f",
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8540f66196ca35b7b5e902932571c18b9fde0cd1"
},
{
"digest": {
"length": 1209.0,
"function_hash": "210455993974002269897724784868874891858"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-9e5a15df",
"target": {
"function": "ibmvfc_register_scsi_channel",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-ba46b44e",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"162235457274991622027863130224860755754",
"267037088875495041846380113932308950093",
"289864897785750282316543337674023866905",
"46034672642604437896063826144124516952",
"80604694901210548631784983807886493798",
"263105706741994139003434291439468746231",
"74512090705921057799274568693865791644",
"68601007505912593798390183533348355699"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-d50ad1f0",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-e7f2a216",
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"143814261591834630506579302038027177981",
"144658398222142684691878434334656903560",
"180388725910607507351020620066447417025",
"294828403464649502558775834961116068505",
"320238498649260627181107450997542474654",
"291518150378996486683472448704940422367",
"233766174883501289253804435158829933724"
]
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-49703-efb3a8b8",
"target": {
"file": "drivers/scsi/ibmvscsi/ibmvfc.h"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d38e3b614ded59da8b95377a98df969a5a5627a"
},
{
"digest": {
"length": 1216.0,
"function_hash": "36602681651680724480353700394626830665"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-49703-fdd9374f",
"target": {
"function": "ibmvfc_alloc_queue",
"file": "drivers/scsi/ibmvscsi/ibmvfc.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aeaadcde1a60138bceb65de3cdaeec78170b4459"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49703.json"