CVE-2022-48792 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion().
In this case, the following are the two steps in handling those I/O completions:
- Call complete() to inform the upper layer handler of completion of the I/O.
- Release driver resources associated with the sas_task in pm8001_ccb_task_free() call.
When complete() is called, the upper layer may free the sas_task. As such, we should not touch the associated sas_task afterwards, but we do so in the pm8001_ccb_task_free() call.
Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2025
The vulnerability identified as CVE-2022-48792 represents a critical use-after-free condition within the Linux kernel's SCSI subsystem, specifically affecting the pm8001 driver used for managing SAS/SATA storage controllers. This flaw exists in the handling of aborted sas_task operations and stems from improper ordering of function calls during I/O completion processing. The vulnerability is classified under CWE-416, which deals with use-after-free conditions, and aligns with ATT&CK technique T1059.003 for executing malicious code through kernel-level exploits. The pm8001 driver is responsible for managing storage devices in various enterprise and server environments, making this vulnerability particularly concerning for system stability and security.
The technical implementation of this vulnerability occurs when upper-layer components abort sas_task operations before the lower-level I/O completion handlers have finished processing. During normal operation, the driver processes I/O completions through two distinct steps within the mpi_ssp_completion() and mpi_sata_completion() functions. The original flawed implementation first calls complete() to notify the upper layer of I/O completion, which then may proceed to free the sas_task structure. Subsequently, the driver attempts to release associated resources through pm8001_ccb_task_free() call, but at this point the sas_task structure has already been freed by the upper layer, leading to a use-after-free scenario. This race condition creates a situation where memory that has been deallocated is still being accessed, potentially allowing for arbitrary code execution or system crashes.
The operational impact of CVE-2022-48792 extends beyond simple system instability to encompass potential security breaches and denial-of-service conditions. When exploited, this vulnerability can cause system crashes or panics during storage I/O operations, particularly when handling aborted tasks in high-throughput environments. The vulnerability affects systems using the pm8001 driver for SAS/SATA storage controllers, which are commonly found in enterprise servers, storage arrays, and data center environments. Attackers could potentially leverage this flaw to execute malicious code with kernel privileges, leading to complete system compromise. The vulnerability is particularly dangerous in environments where storage operations are frequent and concurrent, as the race condition increases the probability of exploitation.
The fix for CVE-2022-48792 implements a critical ordering change in the completion handling logic by swapping the sequence of complete() and pm8001_ccb_task_free() function calls. This modification ensures that driver resource cleanup occurs before notifying the upper layer of completion, thereby preventing access to freed memory structures. The solution addresses the fundamental race condition by maintaining proper memory lifecycle management throughout the I/O completion process. Security researchers have noted that this fix aligns with established kernel security practices and follows the principle of least privilege by ensuring that memory access occurs only when structures are valid. Organizations should prioritize applying this patch to all systems running affected kernel versions, particularly those in critical infrastructure environments where storage reliability and security are paramount. The mitigation strategy also includes monitoring for potential exploitation attempts and implementing additional security controls around storage I/O operations in vulnerable environments.