CVE-2022-49839 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
scsi: scsi_transport_sas: Fix error handling in sas_phy_add()
If transport_add_device() fails in sas_phy_add(), the kernel will crash trying to delete the device in transport_remove_device() called from sas_remove_host().
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 61 PID: 42829 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc1+ #173 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_phy_delete+0x30/0x60 [scsi_transport_sas]
do_sas_phy_delete+0x6c/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0 sas_remove_children+0x40/0x50 [scsi_transport_sas]
sas_remove_host+0x20/0x38 [scsi_transport_sas]
hisi_sas_remove+0x40/0x68 [hisi_sas_main]
hisi_sas_v2_remove+0x20/0x30 [hisi_sas_v2_hw]
platform_remove+0x2c/0x60
Fix this by checking and handling return value of transport_add_device() in sas_phy_add().
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability described in CVE-2022-49839 represents a critical kernel panic condition within the Linux SCSI subsystem, specifically affecting the SAS (Serial Attached SCSI) transport layer. This issue manifests when the scsi_transport_sas driver attempts to manage SAS phy (physical interface) devices, creating a scenario where improper error handling leads to system crashes. The flaw occurs during the device addition process, where the kernel fails to properly validate the return status of transport_add_device() function calls, resulting in subsequent operations attempting to access invalid memory addresses.
The technical execution of this vulnerability begins with the sas_phy_add() function which attempts to register SAS physical interfaces with the kernel's device management framework. When transport_add_device() fails to successfully register a device, the function does not properly check or handle this failure condition. This oversight causes the system to proceed with normal execution flow, eventually reaching sas_remove_host() which calls transport_remove_device(). The subsequent call to transport_remove_device() triggers transport_remove_classdev() and eventually device_del() which attempts to access a NULL pointer at virtual address 0x108, causing an immediate kernel panic and system crash. This represents a classic null pointer dereference scenario that violates fundamental kernel safety principles and directly corresponds to CWE-476 which describes the use of a null pointer in a context where a valid pointer is expected.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the stability of storage subsystems in enterprise environments where SAS-based storage arrays are prevalent. Systems utilizing the hisi_sas_main and hisi_sas_v2_hw drivers, which are commonly found in high-performance storage controllers, become vulnerable to uncontrolled termination when attempting to remove or manage SAS host adapters. This vulnerability particularly affects systems running kernel versions 6.1.0-rc1 and later, where the error handling logic was not properly implemented. The crash occurs during module removal operations, specifically when rmmod command is executed against the scsi_transport_sas module, making it exploitable during normal system maintenance or during unexpected hardware removal scenarios. The attack surface is limited to systems that utilize SAS storage controllers and the specific hardware drivers mentioned in the call trace, but the impact remains severe due to the kernel-level nature of the vulnerability.
Mitigation strategies for this vulnerability require immediate kernel updates to versions containing the proper fix, which involves implementing correct error handling for transport_add_device() return values in the sas_phy_add() function. Administrators should prioritize patching systems running affected kernel versions, particularly in production environments where storage reliability is critical. The fix implements defensive programming practices by ensuring that all function calls returning status codes are properly validated before proceeding with subsequent operations. Additional monitoring should be implemented to detect potential system instability during storage device management operations, and system administrators should maintain proper backup procedures to ensure system availability during patch deployment. This vulnerability aligns with ATT&CK technique T1490 which describes data destruction and T1566 which covers credential access through system compromise, as system crashes can lead to data loss and service disruption in enterprise environments. Organizations should also consider implementing automated patch management systems to prevent similar vulnerabilities from accumulating in their environments, particularly given the critical nature of storage subsystems in maintaining operational continuity.