CVE-2022-48692 in Linuxinfo

Summary

by MITRE • 05/03/2024

In the Linux kernel, the following vulnerability has been resolved:

RDMA/srp: Set scmnd->result only when scmnd is not NULL

This change fixes the following kernel NULL pointer dereference which is reproduced by blktests srp/007 occasionally.

BUG: kernel NULL pointer dereference, address: 0000000000000170 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014 Workqueue: 0x0 (kblockd) RIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]
Code: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6 42 13 89 87 70 01 00 00 41 0f b6 52 12 f6 c2 02 74 44 41 8b 42 1c b9 RSP: 0018:ffffaef7c0003e28 EFLAGS: 00000282 RAX: 0000000000000000 RBX: ffff9bc9486dea60 RCX: 0000000000000000 RDX: 0000000000000102 RSI: ffffffffb76bbd0e RDI: 00000000ffffffff RBP: ffff9bc980099a00 R08: 0000000000000001 R09: 0000000000000001 R10: ffff9bca53ef0000 R11: ffff9bc980099a10 R12: ffff9bc956e14000 R13: ffff9bc9836b9cb0 R14: ffff9bc9557b4480 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff9bc97ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000170 CR3: 0000000007e04000 CR4: 00000000000006f0 Call Trace: __ib_process_cq+0xb7/0x280 [ib_core]
ib_poll_handler+0x2b/0x130 [ib_core]
irq_poll_softirq+0x93/0x150 __do_softirq+0xee/0x4b8 irq_exit_rcu+0xf7/0x130 sysvec_apic_timer_interrupt+0x8e/0xc0

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability identified as CVE-2022-48692 resides within the Linux kernel's RDMA software target driver known as ib_srp which handles SCSI Remote Direct Memory Access operations. This flaw manifests as a NULL pointer dereference occurring during the processing of SRP commands, specifically within the srp_recv_done function. The issue arises from an improper conditional check when setting the result field of a SCSI command structure, scmnd, which can be NULL under certain race conditions or error paths. The kernel's handling of asynchronous I/O operations in the RDMA subsystem creates an environment where a command structure may be freed or invalidated before its result field is properly updated, leading to a scenario where a subsequent access to the NULL pointer triggers a kernel oops and system crash.

The technical root cause of this vulnerability aligns with CWE-476 which describes NULL Pointer Dereference, a common class of software defects that occurs when a program attempts to access a memory location pointed to by a NULL reference. The vulnerability is particularly concerning in the context of the ATT&CK framework under the T1059.001 technique for command and scripting interpreter, as it represents a kernel-level execution environment where such a flaw could be exploited to cause system instability or potentially enable privilege escalation if combined with other vulnerabilities. The specific crash occurs at memory address 0x170 which corresponds to the result field of the scsi_cmnd structure, indicating that the kernel attempts to write to a memory location that has been freed or never properly allocated.

The operational impact of this vulnerability is significant for systems utilizing RDMA storage protocols, particularly those running kernel versions that include the affected ib_srp module. The vulnerability is triggered by blktests srp/007, suggesting it occurs during specific test scenarios involving SRP command processing, but the nature of the race condition means it could manifest under various stress conditions in production environments. When triggered, the kernel experiences a NULL pointer dereference that results in a kernel oops, system panic, and potential denial of service for storage operations. The vulnerability affects systems with RDMA capable hardware and storage subsystems that utilize the SRP protocol for communication, which is common in high-performance computing environments and data center storage architectures. The fact that this occurs in a workqueue context indicates that the flaw can be triggered by concurrent I/O operations, making it particularly dangerous in multi-threaded storage environments.

Mitigation strategies for CVE-2022-48692 focus on applying the kernel patch that ensures scmnd->result is only set when scmnd is not NULL, effectively preventing the invalid memory access. System administrators should prioritize updating to kernel versions that include the fix, particularly those containing the commit that addresses this specific NULL pointer dereference issue. Organizations using RDMA storage solutions should conduct thorough testing of kernel updates in non-production environments to ensure compatibility with existing storage configurations. Monitoring for kernel oops messages related to ib_srp and srp_recv_done functions can help identify potential exploitation attempts or system instability. Additionally, implementing proper access controls and network segmentation around RDMA-enabled systems can reduce the attack surface, while regular security audits of kernel configurations can help identify other potential vulnerabilities in the storage subsystem. The fix represents a defensive programming approach that aligns with best practices for preventing NULL pointer dereferences in kernel space code, emphasizing proper null checking before memory access operations.

Sources

Interested in the pricing of exploits?

See the underground prices here!