CVE-2022-49703

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49703
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49703.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49703
Related
Published
2025-02-26T07:01:45Z
Modified
2025-03-11T22:28:03Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: ibmvfc: Store vhost pointer during subcrq allocation

Currently the back pointer from a queue to the vhost adapter isn't set until after subcrq interrupt registration. The value is available when a queue is first allocated and can/should be also set for primary and async queues as well as subcrqs.

This fixes a crash observed during kexec/kdump on Power 9 with legacy XICS interrupt controller where a pending subcrq interrupt from the previous kernel can be replayed immediately upon IRQ registration resulting in dereference of a garbage backpointer in ibmvfcinterruptscsi().

Kernel attempted to read user page (58) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000058 Faulting instruction address: 0xc008000003216a08 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c008000003216a08] ibmvfcinterruptscsi+0x40/0xb0 [ibmvfc] LR [c0000000082079e8] _handleirqeventpercpu+0x98/0x270 Call Trace: [c000000047fa3d80] [c0000000123e6180] 0xc0000000123e6180 (unreliable) [c000000047fa3df0] [c0000000082079e8] _handleirqeventpercpu+0x98/0x270 [c000000047fa3ea0] [c000000008207d18] handleirqevent+0x98/0x188 [c000000047fa3ef0] [c00000000820f564] handlefasteoiirq+0xc4/0x310 [c000000047fa3f40] [c000000008205c60] generichandleirq+0x50/0x80 [c000000047fa3f60] [c000000008015c40] _doirq+0x70/0x1a0 [c000000047fa3f90] [c000000008016d7c] _doIRQ+0x9c/0x130 [c000000014622f60] [0000000020000000] 0x20000000 [c000000014622ff0] [c000000008016e50] doIRQ+0x40/0xa0 [c000000014623020] [c000000008017044] replaysoftinterrupts+0x194/0x2f0 [c000000014623210] [c0000000080172a8] archlocalirqrestore+0x108/0x170 [c000000014623240] [c000000008eb1008] rawspinunlockirqrestore+0x58/0xb0 [c000000014623270] [c00000000820b12c] _setupirq+0x49c/0x9f0 [c000000014623310] [c00000000820b7c0] requestthreadedirq+0x140/0x230 [c000000014623380] [c008000003212a50] ibmvfcregisterscsichannel+0x1e8/0x2f0 [ibmvfc] [c000000014623450] [c008000003213d1c] ibmvfcinitsubcrqs+0xc4/0x1f0 [ibmvfc] [c0000000146234d0] [c0080000032145a8] ibmvfcresetcrq+0x150/0x210 [ibmvfc] [c000000014623550] [c0080000032147c8] ibmvfcinitcrq+0x160/0x280 [ibmvfc] [c0000000146235f0] [c00800000321a9cc] ibmvfc_probe+0x2a4/0x530 [ibmvfc]

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.14-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}