{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48792", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.893Z", "datePublished": "2024-07-16T11:43:48.026Z", "dateUpdated": "2024-09-11T17:34:15.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-16T11:43:48.026Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm80xx_hwi.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "fe9ac3eaa2e3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "d9d93f32534a", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "f61f9fccb2cb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "df7abcaa1246", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/scsi/pm8001/pm80xx_hwi.c"], "versions": [{"version": "5.10.102", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.15.25", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.16.11", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184"}, {"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2"}, {"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171"}, {"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378"}], "title": "scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task", "x_generator": {"engine": "bippy-c9c4e1df01b2"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.578Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48792", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:59:32.216009Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:15.612Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.578Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48792", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:59:32.216009Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:21.634Z"}}], "cna": {"title": "scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "fe9ac3eaa2e3", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "d9d93f32534a", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "f61f9fccb2cb", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "df7abcaa1246", "versionType": "git"}], "programFiles": ["drivers/scsi/pm8001/pm80xx_hwi.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.10.102", "versionType": "custom", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.25", "versionType": "custom", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.11", "versionType": "custom", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/scsi/pm8001/pm80xx_hwi.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184"}, {"url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2"}, {"url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171"}, {"url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378"}], "x_generator": {"engine": "bippy-c9c4e1df01b2"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-16T11:43:48.026Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48792", "state": "PUBLISHED", "dateUpdated": "2024-09-11T17:34:15.612Z", "dateReserved": "2024-07-16T11:38:08.893Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-16T11:43:48.026Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE2A35CB-3560-4AEF-9643-66B8EB899366", "versionEndExcluding": "5.10.102", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D098AA16-8E21-4EB7-AE2F-1EEB58E1A3A3", "versionEndExcluding": "5.15.25", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D327234-5D4A-43DC-A6DF-BCA0CEBEC039", "versionEndExcluding": "5.16.11", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\n\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\n\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n\n - Call complete() to inform the upper layer handler of completion of\n the I/O.\n\n - Release driver resources associated with the sas_task in\n pm8001_ccb_task_free() call.\n\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\n\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: pm8001: Corrige el use-after-free para sas_task SSP/STP abortado. Actualmente, puede ocurrir un use-after-free si la capa superior cancela una sas_task antes de que manejemos el Finalizaci\u00f3n de E/S en mpi_ssp_completion() o mpi_sata_completion(). En este caso, los siguientes son los dos pasos para manejar esas finalizaciones de E/S: - Llamar a complete() para informar al controlador de la capa superior de la finalizaci\u00f3n de la E/S. - Liberar los recursos del controlador asociados con sas_task en la llamada pm8001_ccb_task_free(). Cuando se llama a complete(), la capa superior puede liberar sas_task. Como tal, no debemos tocar el sas_task asociado despu\u00e9s, pero lo hacemos en la llamada pm8001_ccb_task_free(). Se soluciona intercambiando el orden de las llamadas complete() y pm8001_ccb_task_free()."}], "id": "CVE-2022-48792", "lastModified": "2024-08-07T19:29:33.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-16T12:15:03.983", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task", "id": "2298128", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298128"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nscsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task\nCurrently a use-after-free may occur if a sas_task is aborted by the upper\nlayer before we handle the I/O completion in mpi_ssp_completion() or\nmpi_sata_completion().\nIn this case, the following are the two steps in handling those I/O\ncompletions:\n- Call complete() to inform the upper layer handler of completion of\nthe I/O.\n- Release driver resources associated with the sas_task in\npm8001_ccb_task_free() call.\nWhen complete() is called, the upper layer may free the sas_task. As such,\nwe should not touch the associated sas_task afterwards, but we do so in the\npm8001_ccb_task_free() call.\nFix by swapping the complete() and pm8001_ccb_task_free() calls ordering.", "A use-after-free vulnerability in the Linux kernel's SCSI driver was resolved. This flaw occurred when a sas_task was aborted before I/O completion. The issue stemmed from the task being freed by the upper layer after the completion notification complete(), while the driver still accessed the task."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48792", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48792\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48792\nhttps://lore.kernel.org/linux-cve-announce/2024071641-CVE-2022-48792-87c5@gregkh/T"], "statement": "Red Hat Enterprise Linux is not vulnerable to this CVE, as it does not affect the versions or configurations of the Linux kernel used in its distributions.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.10.102, kernel 5.15.25, kernel 5.16.11, kernel 5.17"}