CVE-2022-49504 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: lpfc: Inhibit aborts if external loopback plug is inserted
After running a short external loopback test, when the external loopback is removed and a normal cable inserted that is directly connected to a target device, the system oops in the llpfc_set_rrq_active() routine.
When the loopback was inserted an FLOGI was transmit. As we're looped back, we receive the FLOGI request. The FLOGI is ABTS'd as we recognize the same wppn thus understand it's a loopback. However, as the ABTS sends address information the port is not set to (fffffe), the ABTS is dropped on the wire. A short 1 frame loopback test is run and completes before the ABTS times out. The looback is unplugged and the new cable plugged in, and the an FLOGI to the new device occurs and completes. Due to a mixup in ref counting the completion of the new FLOGI releases the fabric ndlp. Then the original ABTS completes and references the released ndlp generating the oops.
Correct by no-op'ing the ABTS when in loopback mode (it will be dropped anyway). Added a flag to track the mode to recognize when it should be no-op'd.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/21/2025
The vulnerability described in CVE-2022-49504 affects the Linux kernel's SCSI lpfc driver, specifically within the Fibre Channel protocol implementation. This issue manifests as a system crash or kernel oops when transitioning from an external loopback test configuration back to normal cable connectivity. The problem occurs during the dynamic reconfiguration of Fibre Channel connections where the system fails to properly manage reference counting for network data link protocol nodes during the transition phase.
The technical flaw stems from improper handling of the ABTS (Abort Sequence) message processing within the lpfc driver when operating in external loopback mode. When an external loopback plug is inserted, the system sends an FLOGI (Fabric Login) request which gets looped back and subsequently ABTS'd because the system recognizes it as a loopback scenario through the same wwpn (World Wide Port Name). However, the ABTS message contains address information that prevents it from being properly set to the port address fffffe, causing the ABTS to be dropped on the wire. This creates a race condition where a short loopback test completes before the ABTS times out, but when the loopback is removed and a normal cable is inserted, the system attempts to process the original ABTS message against a fabric ndlp (network data link protocol node) that has already been released due to the completion of the new FLOGI message.
The operational impact of this vulnerability represents a critical reliability issue that can cause system crashes during normal network connectivity transitions in Fibre Channel storage environments. This affects storage area networks where dynamic connection management is common and can lead to unexpected service interruptions. The vulnerability specifically targets the lpfc driver's handling of reference counting mechanisms and message processing sequences, creating a condition where memory access violations occur when attempting to reference freed data structures. This type of vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and also relates to CWE-121 which covers stack-based buffer overflow conditions that can occur due to improper memory management.
The mitigation approach implemented in the fix involves adding a flag to track the loopback mode state and implementing a no-operation (no-op) behavior for ABTS messages when in loopback mode. This prevents the ABTS from being processed when it would otherwise cause a reference counting conflict, since the ABTS would be dropped on the wire anyway in loopback scenarios. The solution follows established practices for handling mode-dependent operations in kernel drivers and addresses the root cause by ensuring proper state management during connection transitions. This approach aligns with ATT&CK technique T1059.001 which involves command and scripting interpreter usage, but more specifically relates to kernel-level privilege escalation and system stability maintenance through proper resource management. The fix demonstrates proper defensive programming practices by preventing invalid memory access patterns while maintaining the expected loopback functionality without disrupting normal network operations. The vulnerability highlights the complexity of managing concurrent connection states in storage protocols and the importance of careful reference counting in kernel-level implementations where memory safety is paramount for system stability.