CVE-2022-48666 in Linux
Summary
by MITRE • 04/28/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: core: Fix a use-after-free
There are two .exit_cmd_priv implementations. Both implementations use resources associated with the SCSI host. Make sure that these resources are still available when .exit_cmd_priv is called by waiting inside scsi_remove_host() until the tag set has been freed.
This commit fixes the following use-after-free:
================================================================== BUG: KASAN: use-after-free in srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
Read of size 8 at addr ffff888100337000 by task multipathd/16727 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db kasan_report+0xab/0x120 srp_exit_cmd_priv+0x27/0xd0 [ib_srp]
scsi_mq_exit_request+0x4d/0x70 blk_mq_free_rqs+0x143/0x410 __blk_mq_free_map_and_rqs+0x6e/0x100 blk_mq_free_tag_set+0x2b/0x160 scsi_host_dev_release+0xf3/0x1a0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_device_dev_release_usercontext+0x4c1/0x4e0 execute_in_process_context+0x23/0x90 device_release+0x54/0xe0 kobject_put+0xa5/0x120 scsi_disk_release+0x3f/0x50 device_release+0x54/0xe0 kobject_put+0xa5/0x120 disk_release+0x17f/0x1b0 device_release+0x54/0xe0 kobject_put+0xa5/0x120 dm_put_table_device+0xa3/0x160 [dm_mod]
dm_put_device+0xd0/0x140 [dm_mod]
free_priority_group+0xd8/0x110 [dm_multipath]
free_multipath+0x94/0xe0 [dm_multipath]
dm_table_destroy+0xa2/0x1e0 [dm_mod]
__dm_destroy+0x196/0x350 [dm_mod]
dev_remove+0x10c/0x160 [dm_mod]
ctl_ioctl+0x2c2/0x590 [dm_mod]
dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0 dm_ctl_ioctl+0x5/0x10 [dm_mod]
__x64_sys_ioctl+0xb4/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/11/2024
The vulnerability identified as CVE-2022-48666 represents a critical use-after-free condition within the Linux kernel's SCSI subsystem, specifically affecting the storage communication protocol implementation. This issue manifests in the interaction between the SCSI core and the InfiniBand Storage Protocol (ib_srp) driver, where improper resource management during device removal leads to memory corruption. The flaw occurs when the kernel attempts to free memory resources associated with SCSI host operations while other components are still referencing those same memory locations. The vulnerability is particularly concerning because it can be triggered through normal storage operations involving multipath devices and SCSI transport layers, making it exploitable in production environments where storage subsystems are actively in use.
The technical root cause of this vulnerability stems from the improper synchronization of resource cleanup operations within the SCSI subsystem's device removal process. Specifically, the kernel contains two implementations of the .exit_cmd_priv function that both attempt to access resources tied to the SCSI host structure. When scsi_remove_host() is called during device removal, it does not properly wait for all tag set resources to be fully freed before invoking these cleanup functions. This race condition allows the srp_exit_cmd_priv function to execute against memory that has already been deallocated, resulting in a use-after-free scenario where the kernel attempts to read from freed memory addresses. The kernel's memory sanitizer (KASAN) detects this violation when the memory address ffff888100337000 is accessed during the multipathd process execution, demonstrating how the flaw propagates through the device management chain.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling privilege escalation and system instability in environments utilizing SCSI storage with InfiniBand transport. Attackers could leverage this use-after-free condition to execute arbitrary code with kernel privileges, particularly in systems running multipath storage configurations where the device management stack is actively engaged. The vulnerability affects systems using the device mapper multipath subsystem, which is commonly deployed in enterprise storage environments where high availability and redundant storage paths are required. The call trace shows how the issue propagates through multiple kernel subsystems including block queue management, device release handlers, and the device mapper module, indicating that exploitation could lead to complete system compromise through the kernel's memory management subsystem.
Mitigation strategies for CVE-2022-48666 require immediate kernel updates to the patched version that implements proper synchronization between resource cleanup operations. The fix ensures that scsi_remove_host() waits for all tag set resources to be completely freed before invoking the .exit_cmd_priv implementations, thereby eliminating the race condition that causes the use-after-free scenario. Organizations should prioritize applying the relevant kernel security patches to all systems running affected kernel versions, particularly those utilizing SCSI storage with InfiniBand transport protocols. Additional defensive measures include monitoring for unusual device removal patterns and implementing proper kernel version management to prevent deployment of vulnerable kernel releases. This vulnerability aligns with CWE-416, which addresses use-after-free conditions in memory management, and can be mapped to ATT&CK technique T1068, representing privilege escalation through kernel vulnerabilities. The fix demonstrates the importance of proper resource lifecycle management in kernel code and highlights the need for careful synchronization in multi-threaded kernel subsystems where shared resources must be accessed by multiple components during device lifecycle operations.